Privacy Policy
Last updated: March 26, 2026
1. Introduction
This Privacy Policy explains how Heartio ("we," "us," or "our"), operated by Elliot Myhre, collects, uses, and protects your information when you use the Heartio watchOS app, iOS companion app, and the heartio.app website (collectively, the "Service").
We take your privacy seriously — especially when it comes to health data. We designed Heartio to collect only what is necessary to make the game work.
2. Information we collect
a. Authentication data
When you create an account, we collect one of the following depending on the sign-in method you choose:
- Email address (magic link sign-in via Firebase Authentication)
- Phone number (OTP sign-in via Firebase Authentication)
This information is stored by Firebase Authentication and is used solely to identify your account.
b. Game data
We store gameplay information on our servers (Supabase) to power scoring, streaks, and the leaderboard. This includes:
- Your guessed BPM and the accuracy of each guess
- Daily scores and point totals
- Streak count and rank history
- Display name (if you choose to set one)
c. Health data (heart rate)
Your heart rate data never leaves your device.
Heartio reads your real-time heart rate from Apple HealthKit via a workout session on your Apple Watch. This data is used on-device to compare against your guess. We do not transmit, store, or have access to your raw heart rate readings on our servers. Only the result of the guess (how close you were) is sent to our backend — never the BPM itself.
d. Analytics data
We use Google Analytics (via Firebase) to understand how visitors use the website and app. This automatically collects:
- Pages viewed and time spent on each page
- Referral source (how you found us)
- Device type, browser, and operating system
- General geographic region (country/city level, not precise location)
- Interactions such as button clicks (e.g., App Store download badge)
This data is aggregated and anonymized. We do not use it to identify individual users. We do not use advertising trackers or sell analytics data to third parties. See Google's Privacy Policy for details on how Google processes analytics data.
3. How we use your information
| Data | Purpose |
|---|---|
| Email or phone | Account authentication and recovery |
| Game scores and streaks | Leaderboard rankings, daily challenges, profile stats |
| Guess accuracy | Scoring calculation and game history |
| Display name | Public leaderboard identification (optional) |
We do not sell your data to third parties. We do not use your data for advertising. We do not share your data with anyone except as described in this policy.
4. Third-party services
Heartio uses the following third-party services to operate:
Apple HealthKit
Used to read real-time heart rate data on your Apple Watch. All HealthKit data stays on your device and is governed by Apple's Privacy Policy. We comply with Apple's HealthKit guidelines and do not use health data for advertising or data mining.
Firebase Authentication (Google)
Used to manage account sign-in via email magic links and phone OTP. Firebase processes your email or phone number for authentication purposes. See Firebase's Privacy Policy.
Supabase
Used as our backend database and API layer. Game data (scores, streaks, profiles) is stored in Supabase. See Supabase's Privacy Policy.
Google Analytics (via Firebase)
Used to collect anonymized website and app usage data including page views, referral sources, device type, and button interactions. See Google's Privacy Policy.
5. Data storage and security
Game data is stored in Supabase with row-level security policies that ensure users can only access their own data (except for public leaderboard data). Authentication is managed by Firebase with industry-standard security practices.
While we take reasonable measures to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.
6. Data retention
We retain your account and game data for as long as your account is active. If you request deletion of your account, we will delete your authentication data and game records within 30 days. Anonymized aggregate data (such as total games played across all users) may be retained indefinitely.
7. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Withdraw consent for data processing
- Export your data in a portable format
To exercise any of these rights, contact us at hello@heartio.app. We will respond within 30 days.
8. Children's privacy
Heartio does not knowingly collect personal information from children under the age of 13. If we learn that we have collected data from a child under 13, we will delete it promptly. If you believe a child under 13 has provided us with personal information, please contact us at hello@heartio.app.
9. International users
If you are located outside the United States, please be aware that your information may be transferred to and processed in the United States, where our servers are hosted. By using the Service, you consent to this transfer.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
11. Contact
If you have questions or concerns about this Privacy Policy or your data, contact us at: