Privacy Policy
Last updated: [Date to be confirmed]
1. Introduction
HeroHealth Collective (“we,” “us,” or “our”) operates the HeroHealth Collective platform (the “Service”), a community wellness platform for veterans, first responders, and health-focused individuals. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and what choices you have.
By creating an account or using the Service, you agree to the collection and use of information described in this Policy.
2. Information We Collect
Account Information
When you register, we collect your email address (used to authenticate your account and send transactional communications) and a hashed password managed by our authentication provider. We never store plaintext passwords.
Profile Information
You may optionally provide your full name, display name, profile photo, biography, date of birth, gender, ZIP code, user type (e.g., veteran, first responder), activity level, fitness goals, and workout preferences. Optional fields are not required to use the Service.
Fitness and Activity Data
If you connect a Strava account or Android Health Connect, we import activity type, distance, duration, start time, calorie estimates, step counts, and heart rate data. For Strava, we store OAuth tokens in your profile to maintain the connection. For Health Connect (Android 13+), your data is read directly from your device with your explicit permission and not stored by us beyond what is necessary to display and aggregate activities. You can disconnect either service at any time in your account settings.
Note: “Apple Health” integration is not currently active. Health Connect is available on Android devices running Android 13 or newer.
Android Health Connect Data (Android 13+)
With your explicit permission, HeroHealth reads the following data from your device via Android Health Connect:
- Step count (number of steps taken)
- Distance traveled (walking, running, cycling)
- Calories burned
- Exercise sessions (type, start/end time, duration, notes)
We use this data to display your activity history, track your progress, and provide personalized wellness insights and challenges. This helps you monitor your health and participate in community features.
Is this data stored or synced to your backend?
Yes. When you choose to sync, we store aggregated metrics (steps, distance, calories, exercise sessions) in your HeroHealth account so you can view your history across devices and restore your data if you reinstall the app. Raw data is not shared with other users.
Is this data shared with third parties?
No. Health data from Health Connect is never shared with advertisers, analytics companies, or any third parties beyond what is required to operate the Service (see provider table below). We do not sell or monetize your health data.
How can you revoke access or delete your data?
- You can revoke HeroHealth’s access to Health Connect at any time in your device’s Health Connect app permissions screen.
- You can delete your HeroHealth account at any time from your account settings, which will permanently erase all synced health data from our servers.
HeroHealth requests access to your health data solely to provide you with activity tracking, progress monitoring, and wellness features. We do not access or use your health data for any other purpose.
Wellness and Mental Health Data
If you use wellness tracking features, we collect daily mood, energy, stress level, sleep hours, minutes of meditation and journaling, and whether you attended a therapy session. This data is stored per-day and aggregated into weekly summaries. You may delete your account at any time to remove this data.
We treat wellness data with heightened care. It is visible only to you and is not shared with other users or third parties beyond what is necessary to operate the Service.
Social and Community Content
We collect content you create including feed posts and media, comments, emoji reactions, buddy check-in messages, and connection requests. Posts and comments may be visible to other users or the public depending on how your profile is configured.
Anonymous distress alerts: The platform includes an optional feature that allows you to notify a buddy that you are struggling without revealing your identity. When you use this feature, your identity is removed from the alert. However, thread metadata (timing, participants) is retained in our systems, and platform administrators with database access can see all data.
Contact Form Submissions
When you submit our contact form, we collect your name, email address, subject, and message. This information is stored in our database and emailed to our team.
Usage and Analytics Data
We use Vercel Analytics and Vercel Speed Insights to collect anonymous usage telemetry including page views, navigation paths, and performance metrics. This data is collected automatically when you visit any page on the Service.
3. How We Use Your Information
- Create and manage your account and profile
- Provide and personalize the Service, including fitness tracking, social feed, and buddy matching
- Import and display your fitness activity data from connected services
- Aggregate wellness data into weekly summaries for your personal dashboard
- Facilitate check-in messages and buddy connections
- Respond to contact form inquiries
- Send transactional emails (e.g., password resets)
- Analyze and improve platform performance via analytics
- Support challenge participation and rewards
We do not sell your personal information to third parties.
4. Data Sharing and Third-Party Processors
We share your data only with the following service providers, solely to operate the Service:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, and storage |
| Cloudinary | Media file storage (photos and videos) |
| Strava | Fitness activity import via OAuth |
| Android Health Connect | Health data access on Android 13+ devices (local read only) |
| Resend | Transactional email delivery |
| Vercel | Hosting, analytics, and performance monitoring |
We do not share your data with advertisers, data brokers, or analytics companies beyond those listed above.
5. Your Rights and Choices
Account and Data Deletion
You may permanently delete your account at any time from your account settings. Deleting your account removes your profile, posts, messages, activity data, wellness data, and uploaded media. This action is irreversible.
Correction
You may update most profile information at any time through your account settings.
Strava Disconnection
You may disconnect Strava at any time through your account settings, which will clear the OAuth tokens we hold. Activity data already imported will remain in your account until you delete your account.
Data Access Requests
To request a copy of the personal data we hold about you, please contact us at the address below.
6. Data Security
We use Supabase to store your data, which provides encryption at rest and in transit. Passwords are stored as hashed credentials and are never visible to us. We use server-side sessions and bearer tokens for API authentication.
Despite our precautions, no security system is impenetrable. We cannot guarantee the absolute security of your information.
7. Children's Privacy
The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.
8. Mental Health Resources
If you are in crisis, please contact the 988 Suicide and Crisis Lifeline by calling or texting 988, or contact the Crisis Text Line by texting HOME to 741741.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
10. Contact Us
If you have questions about this Privacy Policy or wish to submit a data access or deletion request, please contact us:
HeroHealth Collective
Email: privacy@herohealth.app