← Back to Harthos
Privacy Policy
Last updated: June 8, 2026
Harthos ("we", "our", or "us") operates the Harthos mobile application and website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
1. Information We Collect
Account & Identity
- Email address, display name, and username
- Profile photo (optional)
- Date of birth (used to verify you are 18 or older)
- Biological sex (optional, for health metric context)
- Phone number (optional)
Health & Fitness Data
With your explicit permission, we access health data from Apple HealthKit or Google Health Connect, including:
- Step count and distance walked/run
- Active calories burned and exercise minutes
- Heart rate, resting heart rate, and heart rate variability (HRV)
- Sleep duration and quality
- Blood oxygen (SpO2) and VO2 max
This data is used solely to calculate your Harthos Health Score and to determine challenge outcomes. We do not sell health data to third parties.
Financial Information
Payment processing is handled by Stripe. We do not store your credit card numbers or bank account numbers on our servers. We store only a Stripe token. Your wallet balance and transaction history are stored in our secure database.
App Usage & Analytics
- Screen views, navigation events, and app session data — via Firebase Analytics (Google)
- Sign-up and login events
- Challenge creation, acceptance, and completion events
- Crash reports and error logs — via Firebase Crashlytics (Google)
Device & Technical Data
- Firebase Cloud Messaging (FCM) token for push notifications
- App version and platform (iOS/Android)
- IP address (logged transiently in server access logs)
2. How We Use Your Information
- To create and manage your account
- To calculate health scores and determine challenge winners
- To process deposits, stakes, and payouts
- To detect and prevent cheating or fraudulent activity
- To send notifications about challenges, results, and account activity
- To improve the app and fix bugs
- To comply with legal obligations, including financial record-keeping
3. Health Data Protections
- Health data is only accessed when you explicitly grant permission
- Health data is never sold, shared with advertisers, or used for marketing
- Health data is never shared with insurance companies or employers
- You can revoke health data access at any time through your device settings
4. Data Sharing
We share your information only in the following circumstances:
- Challenge participants: Your display name, profile photo, and challenge progress are visible to other participants in your challenges
- Leaderboards: Your display name, win record, and ranking may appear on leaderboards
- Service providers: Firebase (Google) for authentication and storage, Stripe for payments, Apple/Google for health data access
- Legal requirements: We may disclose information if required by law or to protect our rights
5. Data Retention
| Data type | Retention period |
| Account profile (Firestore) | Until account deletion; purged within 30 days of confirmed deletion request |
| Health and activity data | Retained while account is active; removed on account deletion |
| Financial transaction records | Retained for 7 years from transaction date for financial compliance; anonymized upon account deletion (user identity removed, amounts retained) |
| Firebase Analytics events | 2–14 months, controlled by Google's retention settings |
| Server access logs | 30 days |
| Crash reports | 90 days |
6. Data Storage & Security
Your data is stored on Google Cloud infrastructure with encryption at rest and in transit. Security measures include:
- TLS encryption for all data in transit
- Firestore Security Rules restricting client data access
- Server-side validation of all financial transactions
- Anti-cheat monitoring to detect anomalous health data
- IAM-based access controls with principle of least privilege
7. Your Rights
You have the right to:
- Access your personal data by contacting us
- Correct inaccurate information in your profile settings
- Delete your account from Profile → Settings → Delete Account within the app. A 30-day grace period applies before permanent deletion. You must first withdraw your wallet balance and resolve any active challenges. Financial transaction records are anonymized rather than erased to meet legal obligations.
- Revoke health data permissions through your device settings at any time
- Export your data upon request
To exercise any right, email support@harthos.app. We will respond within 30 days.
8. Children's Privacy
Harthos is not intended for users under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a minor, we will delete that information promptly.
9. Third-Party Services
- Google Firebase — Authentication, database, analytics, crash reporting
- Stripe — Payment processing
- Apple HealthKit / Google Health Connect — Health data access (on-device only)
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy in the app and updating the "Last updated" date.
11. Contact
If you have questions about this Privacy Policy or your data, contact us at support@harthos.app.