Privacy Policy

Last updated: March 2026

1. Introduction

HeartLab ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how HeartLab ("the App") collects, uses, and protects your personal information.

By using HeartLab, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the App.

2. Data Controller

The data controller responsible for your personal data is:

CEPALabs SHPK
NUIS: M61327011S
Rruga Andon Zako Cajupi, Ndërtes 3, Hyrja Nr. 11
Tiranë, Albania

• Phone: +39 379 234 5841
• Email: hello@heartlab.it
• Website: heartlab.it

3. Information We Collect

3.1 Health Data (Special Category Data)

HeartLab accesses and processes the following health data from Apple HealthKit:

• ECG Recordings: Electrocardiographic data from your Apple Watch
• Heart Rate Data: Heart rate measurements and variability
• Rhythm Classification: Apple's ECG classification results

Important: This data is processed locally on your device. We do not upload, store, or have access to your raw ECG data on our servers.

3.2 Health Profile Information

If you choose to create a health profile, you may provide:

• Age and biological sex
• Height and weight
• Pre-existing medical conditions (optional)
• Current medications (optional)
• Family medical history (optional)
• Sports activity level (optional)

3.3 Account Information

If you create an account, we collect:

• Email address
• Authentication credentials (securely hashed)
• Sign in with Apple identifier (if used)

3.4 Usage Data

We may collect anonymized usage data to improve the App, including:

• App feature usage patterns
• Crash reports and error logs
• Device type and iOS version

3.5 Apple HealthKit Data - Important Disclosures

In compliance with Apple's HealthKit requirements, we explicitly state that:

• (a) NO ADVERTISING: Your HealthKit data (ECG recordings, heart rate, rhythm classifications) is NEVER used for advertising or marketing purposes.
• (b) NO SELLING: We do NOT sell, license, or otherwise disclose your HealthKit data to any third party, including advertising platforms, data brokers, or information resellers.
• (c) NO THIRD-PARTY SHARING: Your HealthKit data is NOT shared with third parties except:
  • When you explicitly request AI analysis (data sent to OpenAI only for that specific request)
  • When required by law
• (d) HEALTH PURPOSES ONLY: HealthKit data is used exclusively to provide health and fitness features within the App, including ECG analysis, heart rate variability calculations, and trend monitoring.
• (e) LOCAL PROCESSING: Your HealthKit data is primarily processed on your device. We do not store your raw ECG data on our servers.
• (f) USER CONTROL: You can revoke HeartLab's access to HealthKit at any time through your iPhone's Settings > Privacy & Security > Health > HeartLab.

4. How We Use Your Information

We use your information for the following purposes:

• ECG Analysis: To provide detailed analysis of your ECG recordings locally on your device
• AI Assistant: When you use the AI feature, selected ECG data is sent to OpenAI for analysis (only with your explicit action)
• Personalization: To customize insights based on your health profile
• App Improvement: To fix bugs and improve app performance
• Support: To respond to your inquiries and provide customer support

5. Data Storage and Security

5.1 On-Device Storage

The majority of your data is stored locally on your device:

• ECG recordings remain in Apple HealthKit
• Analysis results are cached locally
• Journal entries are stored on-device

5.2 Cloud Storage

Limited data may be stored in our secure cloud infrastructure (Supabase):

• User account information
• Subscription status
• App preferences and settings

5.3 Security Measures

We implement industry-standard security measures:

• End-to-end encryption for data in transit
• Secure authentication with Apple Sign In support
• Face ID / Touch ID integration for app access
• Regular security audits

6. Third-Party Services

HeartLab uses the following third-party services:

6.1 Apple HealthKit

We access your ECG data through Apple HealthKit. Apple's privacy policy applies to data stored in HealthKit.

6.2 OpenAI (AI Assistant)

HeartLab uses OpenAI (OpenAI, L.L.C., San Francisco, CA, USA) as a third-party AI service to power the AI Health Assistant feature. Data is sent to OpenAI only when you explicitly grant consent through the in-app consent screen.

Data shared with OpenAI when you consent:

• Age and biological sex
• Known medical conditions and current medications
• Heart rate metrics (average, minimum, maximum)
• Heart rate variability (HRV) and SDNN values
• Arrhythmia detection counts (PAC, PVC, pauses, AFib episodes)
• ECG classification, QTc metrics, and signal quality

Raw ECG waveform data is never shared with OpenAI.

Data is transmitted via our Supabase servers to OpenAI's API. OpenAI does not use your data for model training. You can revoke your consent at any time from within the app (Profile > AI Data Sharing), and no further data will be sent.

6.3 RevenueCat (Subscriptions)

We use RevenueCat to manage subscriptions. They process payment information through Apple's App Store. We do not have access to your payment card details.

6.4 Supabase (Authentication & Storage)

User accounts and preferences are managed through Supabase, which provides secure, GDPR-compliant data storage.

6.5 IP Geolocation (Website Localization)

Our website uses ipapi.co to detect your country based on your IP address for the sole purpose of displaying content in your local language. This is done under the legal basis of legitimate interest (GDPR Article 6(1)(f)) to provide a better user experience.

• Data processed: Your country code only (e.g., "IT", "DE", "ES")
• Data NOT stored: Your IP address is not stored or logged by us
• Purpose: Automatic language selection for website content
• Fallback: If you prefer, you can manually select your language using the language selector, and your preference will be saved

You can opt out of automatic language detection by selecting your preferred language manually. Your choice is stored locally in your browser and takes precedence over automatic detection.

6.6 Firebase Crashlytics (Crash Reporting)

We use Firebase Crashlytics, a service provided by Google LLC, to collect anonymous crash reports and diagnostic data. This helps us identify and fix bugs to improve app stability.

• Data collected: Crash stack traces, device model, OS version, app state at time of crash, anonymous installation identifier
• Data NOT collected: No personally identifiable information (no names, emails, or health data)
• Purpose: App stability monitoring and bug fixing
• Legal basis: Legitimate interest (GDPR Article 6(1)(f)) in providing a stable, reliable application
• Retention: Crash data is retained for 90 days by Google

For more information, see Firebase Privacy Policy.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

• Right of Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Portability: Receive your data in a portable format
• Right to Restrict Processing: Limit how we use your data
• Right to Object: Object to processing of your data
• Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at hello@heartlab.it.

8. Data Retention

We retain your data according to the following policies:

• Account Data: Until you delete your account
• Health Data: Stored locally until you delete the app or clear data
• Usage Analytics: Anonymized and retained for up to 24 months

You can delete your account and all associated data at any time through the app settings.

9. Children's Privacy

HeartLab is not intended for use by children under 17 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Services certified under recognized data protection frameworks

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by:

• Posting the new policy in the App
• Updating the "Last updated" date
• Sending an email notification for material changes

12. Data Protection Authority

If you have concerns about our data processing, you have the right to lodge a complaint with a supervisory authority.

Albanian Information and Data Protection Commissioner (IDP)
Rruga "Abdi Toptani", Nr. 5
Tirana, Albania
www.idp.al

For EU residents, you may also contact your local data protection authority.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

• Email: hello@heartlab.it
• Support: hello@heartlab.it
• Website: heartlab.it

14. Apple App Store Privacy

If you downloaded HeartLab from the Apple App Store:

• (a) Apple's Privacy Policy applies to data collected by Apple, including App Store transactions and HealthKit data stored by Apple.
• (b) We do not have access to your Apple ID, payment information, or other data managed directly by Apple.
• (c) For information about Apple's privacy practices, visit: https://www.apple.com/privacy/
• (d) This Privacy Policy governs only data collected and processed by HeartLab.