Privacy Policy

Last updated: March 2026

Your Privacy Matters: HeartLab is designed with privacy at its core. Your health data stays on your device and is never uploaded to our servers without your explicit consent.

1. Introduction

HeartLab ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how HeartLab ("the App") collects, uses, and protects your personal information.

By using HeartLab, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the App.

2. Data Controller

The data controller responsible for your personal data is:

CEPALabs SHPK
NUIS: M61327011S
Rruga Andon Zako Cajupi, Ndërtes 3, Hyrja Nr. 11
Tiranë, Albania

Phone: +39 379 234 5841
Email: hello@heartlab.it
Website: heartlab.it

For any privacy-related questions or to exercise your data rights, you can reach us through any of the channels listed on our Contact page — including email, WhatsApp, Discord, and phone.

3. Information We Collect

3.1 Health Data (Special Category Data)

HeartLab accesses and processes the following health data from Apple HealthKit:

ECG Recordings: Electrocardiographic data from your Apple Watch
Heart Rate Data: Heart rate measurements and variability
Rhythm Classification: Apple's ECG classification results

Important: This data is processed locally on your device. We do not upload, store, or have access to your raw ECG data on our servers.

3.2 Health Profile Information

If you choose to create a health profile, you may provide:

Age and biological sex
Height and weight
Pre-existing medical conditions (optional)
Current medications (optional)
Family medical history (optional)
Sports activity level (optional)

3.3 Account Information

If you create an account, we collect:

Email address
Authentication credentials (securely hashed)
Sign in with Apple identifier (if used)

3.4 Usage Data

We may collect anonymized usage data to improve the App, including:

App feature usage patterns
Crash reports and error logs
Device type and iOS version

3.5 Apple HealthKit Data - Important Disclosures

In compliance with Apple's HealthKit requirements, we explicitly state that:

(a) NO ADVERTISING: Your HealthKit data (ECG recordings, heart rate, rhythm classifications) is NEVER used for advertising or marketing purposes.
(b) NO SELLING: We do NOT sell, license, or otherwise disclose your HealthKit data to any third party, including advertising platforms, data brokers, or information resellers.
(c) NO THIRD-PARTY SHARING: Your HealthKit data is NOT shared with third parties except:
- When you explicitly request AI analysis (data sent to OpenAI only for that specific request)
- When required by law
(d) HEALTH PURPOSES ONLY: HealthKit data is used exclusively to provide health and fitness features within the App, including ECG analysis, heart rate variability calculations, and trend monitoring.
(e) LOCAL PROCESSING: Your HealthKit data is primarily processed on your device. We do not store your raw ECG data on our servers.
(f) USER CONTROL: You can revoke HeartLab's access to HealthKit at any time through your iPhone's Settings > Privacy & Security > Health > HeartLab.

4. How We Use Your Information

We use your information for the following purposes:

ECG Analysis: To provide detailed analysis of your ECG recordings locally on your device
AI Assistant: When you use the AI feature, selected ECG data is sent to OpenAI for analysis (only with your explicit action)
Personalization: To customize insights based on your health profile
App Improvement: To fix bugs and improve app performance
Support: To respond to your inquiries and provide customer support

5. Data Storage and Security

5.1 On-Device Storage

The majority of your data is stored locally on your device:

ECG recordings remain in Apple HealthKit
Analysis results are cached locally
Journal entries are stored on-device

5.2 Cloud Storage

Limited data may be stored in our secure cloud infrastructure (Supabase):

User account information
Subscription status
App preferences and settings

5.3 Security Measures

We implement industry-standard security measures:

End-to-end encryption for data in transit
Secure authentication with Apple Sign In support
Face ID / Touch ID integration for app access
Regular security audits

6. Third-Party Services

HeartLab uses the following third-party services:

6.1 Apple HealthKit

We access your ECG data through Apple HealthKit. Apple's privacy policy applies to data stored in HealthKit.

6.2 OpenAI (AI Assistant)

HeartLab uses OpenAI (OpenAI, L.L.C., San Francisco, CA, USA) as a third-party AI service to power the AI Health Assistant feature. Data is sent to OpenAI only when you explicitly grant consent through the in-app consent screen.

Complete anonymization — no raw data is ever transmitted:

HeartLab never sends your original ECG recordings, raw waveform data, or any personally identifiable health data to OpenAI. Instead, the app's on-device algorithms first analyze your ECG locally, and only the extracted numerical summaries are shared — never the underlying signal. Specifically:

Age range and biological sex (for clinical context only)
Known medical conditions and current medications (if you choose to provide them)
Heart rate metrics (average, minimum, maximum) — computed locally by HeartLab
Heart rate variability (HRV) and SDNN values — computed locally by HeartLab
Arrhythmia detection counts (PAC, PVC, pauses, AFib episodes) — computed locally by HeartLab
ECG classification result, QTc metrics, and signal quality score — computed locally by HeartLab

These are abstract, fully anonymized numerical values derived by HeartLab's algorithms. They contain no raw signal data, no waveform points, no timestamps, and no information that could identify you as an individual. The AI receives only what it needs to provide a meaningful health explanation — nothing more.

Encryption and secure transmission:

All data is encrypted in transit using TLS 1.2+ (HTTPS) via our Supabase servers to OpenAI's API. The connection is end-to-end encrypted, and no intermediary can read the data in transit.

OpenAI does not train on your data:

HeartLab uses the OpenAI API with data usage opt-out enabled. Per OpenAI's Enterprise Privacy policy, data sent through the API is not used to train, improve, or fine-tune OpenAI models. Your data is processed solely to generate a response and is not retained beyond the request lifecycle.

You can revoke your consent at any time from within the app (Profile > AI Data Sharing), and no further data will be sent to OpenAI.

6.3 RevenueCat (Subscriptions)

We use RevenueCat to manage subscriptions. They process payment information through Apple's App Store. We do not have access to your payment card details.

6.4 Supabase (Authentication & Storage)

User accounts and preferences are managed through Supabase, which provides secure, GDPR-compliant data storage.

6.5 IP Geolocation (Website Localization)

Our website uses ipapi.co to detect your country based on your IP address for the sole purpose of displaying content in your local language. This is done under the legal basis of legitimate interest (GDPR Article 6(1)(f)) to provide a better user experience.

Data processed: Your country code only (e.g., "IT", "DE", "ES")
Data NOT stored: Your IP address is not stored or logged by us
Purpose: Automatic language selection for website content
Fallback: If you prefer, you can manually select your language using the language selector, and your preference will be saved

You can opt out of automatic language detection by selecting your preferred language manually. Your choice is stored locally in your browser and takes precedence over automatic detection.

6.6 Firebase Crashlytics (Crash Reporting)

We use Firebase Crashlytics, a service provided by Google LLC, to collect anonymous crash reports and diagnostic data. This helps us identify and fix bugs to improve app stability.

Data collected: Crash stack traces, device model, OS version, app state at time of crash, anonymous installation identifier
Data NOT collected: No personally identifiable information (no names, emails, or health data)
Purpose: App stability monitoring and bug fixing
Legal basis: Legitimate interest (GDPR Article 6(1)(f)) in providing a stable, reliable application
Retention: Crash data is retained for 90 days by Google

For more information, see Firebase Privacy Policy.

7. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), you have the following rights:

Right of Access: Request a copy of your personal data
Right to Rectification: Correct inaccurate personal data
Right to Erasure: Request deletion of your personal data
Right to Portability: Receive your data in a portable format
Right to Restrict Processing: Limit how we use your data
Right to Object: Object to processing of your data
Right to Withdraw Consent: Withdraw consent at any time

To exercise these rights, contact us at hello@heartlab.it.

8. Data Retention

We retain your data according to the following policies:

Account Data: Until you delete your account
Health Data: Stored locally until you delete the app or clear data
Usage Analytics: Anonymized and retained for up to 24 months

You can delete your account and all associated data at any time through the app settings.

9. Children's Privacy

HeartLab is not intended for use by children under 17 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately.

10. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence. We ensure appropriate safeguards are in place, including:

Standard Contractual Clauses approved by the European Commission
Services certified under recognized data protection frameworks

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by:

Posting the new policy in the App
Updating the "Last updated" date
Sending an email notification for material changes

12. Data Protection Authority

If you have concerns about our data processing, you have the right to lodge a complaint with a supervisory authority.

Albanian Information and Data Protection Commissioner (IDP)
Rruga "Abdi Toptani", Nr. 5
Tirana, Albania
www.idp.al

For EU residents, you may also contact your local data protection authority.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Email: hello@heartlab.it
Support: hello@heartlab.it
Website: heartlab.it

14. Apple App Store Privacy

If you downloaded HeartLab from the Apple App Store:

(a) Apple's Privacy Policy applies to data collected by Apple, including App Store transactions and HealthKit data stored by Apple.
(b) We do not have access to your Apple ID, payment information, or other data managed directly by Apple.
(c) For information about Apple's privacy practices, visit: https://www.apple.com/privacy/
(d) This Privacy Policy governs only data collected and processed by HeartLab.

Remember: HeartLab is NOT a medical device and does not provide medical diagnoses. Always consult a qualified healthcare professional for medical advice.