← Back to Home

Privacy Policy

Last updated: January 2025

1. Introduction

Welcome to Healio ("we," "our," or "us"). We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application Healio.

2. Information We Collect

We collect the following types of information when you use Healio:

1. Account Information:

  • Email address, password (encrypted), display name
  • Authentication data from Apple Sign In or Google Sign In (if used)
  • User ID (automatically generated by our authentication system)

2. Health & Wellness Data:

  • Therapy Conversations: Full text and voice transcripts from chat sessions
  • Journal Entries: AI-generated summaries, titles, mood ratings (1-5 scale), and word counts
  • Memory System Data: Semantic facts about you extracted from conversations, episodic conversation summaries, and recurring discussion topics with emotional intensity scores
  • Mental Health Assessments: Sleep quality, energy levels, stress factors, tension, and other wellness indicators collected during onboarding
  • Goals & Habits: Custom goals you create and daily completion records

3. Audio Data:

  • Voice recordings during therapy sessions (recorded with your permission)
  • Important: Audio files are transcribed using OpenAI Whisper and then immediately deleted. We only retain text transcripts, not the audio recordings themselves.

4. Photos:

  • Optional selfie photo during onboarding for stress analysis demo
  • Important: Photos are stored locally on your device only and are never uploaded to our servers or shared with third parties.

5. Device & Technical Information:

  • Device identifiers (for app functionality and analytics if you grant tracking permission)
  • Operating system version, device model
  • App performance metrics and crash logs

6. Usage Analytics:

  • Feature interaction data (which features you use and when)
  • Session duration and app lifecycle events (app opened, backgrounded)
  • Signup method (email, Apple Sign In, Google Sign In)
  • Paywall interactions and subscription events
  • User Control: Analytics tracking requires your permission via the App Tracking Transparency (ATT) prompt. You can deny tracking or disable it later in iOS Settings.

7. Payment Information:

  • Subscription records and transaction history
  • Important: Payment processing is handled by Apple's App Store. We do not have access to your credit card or payment method details.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Process payments and manage purchase transactions
  • Personalize your experience and provide AI-powered insights
  • Remember your conversations, reflections, and user content
  • Analyze product interactions and usage patterns to enhance app functionality
  • Monitor app performance, diagnose issues, and prevent crashes
  • Respond to your support requests and customer service inquiries
  • Send you technical notices, updates, and support messages
  • Ensure security and prevent fraudulent activity
  • Comply with legal obligations and protect our rights

4. Data Security

We take the security of your mental health data extremely seriously and implement the following protections:

Encryption:

  • In Transit: All data transmitted between your device and our servers uses TLS/SSL encryption
  • At Rest: All data stored in our Supabase database is encrypted using AES-256 encryption

Access Controls:

  • Row-Level Security (RLS): Database policies ensure you can only access your own data, not other users' data
  • Authentication: Multi-factor authentication available via Apple Sign In and Google Sign In
  • API Security: All API requests are authenticated and validated

Local Storage:

  • User preferences (memory settings, agent mode, TTS settings) are stored locally on your device using secure storage
  • Authentication tokens are stored securely and automatically expire

Third-Party Security:

  • OpenAI, Supabase, PostHog, and Superwall all maintain SOC 2 Type II compliance and industry-standard security practices
  • All third-party services use encrypted connections and secure data centers

What We DON'T Do:

  • We do NOT store your voice recordings long-term (deleted after transcription)
  • We do NOT upload selfie photos to our servers (stored locally only)
  • We do NOT share your therapy conversation content with advertisers
  • We do NOT sell your data to third parties

If you have security concerns or discover a vulnerability, please contact us immediately at support@healioapp.com.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following circumstances:

  • With your explicit consent
  • To comply with legal obligations
  • To protect our rights and safety
  • With service providers who assist in operating our app (under strict confidentiality agreements)

6. Third-Party Service Providers

We use the following third-party services to provide and improve our app functionality. Each service may collect and process your data as described below:

OpenAI (AI Provider)

  • Services Used: GPT-4o chat completions, Whisper audio transcription, text-to-speech, and embeddings
  • Data Shared: Your conversation messages (text and voice transcripts), audio recordings, system prompts with memory context, and emotional state analysis
  • Purpose: To provide AI therapy responses, transcribe voice conversations, generate voice responses, and enable semantic memory search
  • Data Retention: OpenAI retains data for a minimum of 30 days as per their data retention policy
  • Privacy Policy: https://openai.com/privacy

Supabase (Database Hosting)

  • Services Used: PostgreSQL database, authentication, and cloud storage
  • Data Shared: User profiles (name, birthday, gender, stress factors), authentication credentials, conversation history, journal entries, goals data, and memory embeddings
  • Purpose: Secure backend data storage and user authentication
  • Infrastructure: Amazon Web Services (AWS) with encryption at rest and in transit
  • Data Retention: Data is retained indefinitely until you delete your account
  • Privacy Policy: https://supabase.com/privacy

PostHog (Analytics Provider)

  • Services Used: Behavioral analytics and product usage tracking
  • Data Shared: User ID, feature usage events, signup/login events, paywall interactions, app lifecycle events, and device identifiers (only if you grant tracking permission)
  • Purpose: To analyze user behavior, improve app functionality, and understand conversion patterns
  • User Control: You can opt out of tracking by denying the App Tracking Transparency (ATT) permission when prompted or by disabling tracking in iOS Settings → Privacy & Security → Tracking → Healio
  • Tracking Domain: us.i.posthog.com
  • Privacy Policy: https://posthog.com/privacy

Superwall (Subscription Management)

  • Services Used: Paywall presentation and subscription analytics
  • Data Shared: User ID, purchase events, paywall presentation events, and subscription status
  • Purpose: To manage in-app subscriptions and analyze subscription conversion rates
  • Privacy Policy: https://superwall.com/privacy

Important: We do not sell, trade, or rent your personal information to any third party. Data is shared with these service providers solely to operate and improve our app under strict confidentiality agreements.

7. Data Retention

Healio Data:

  • Conversation Data: Your therapy conversations, journal entries, goals, and memories are stored indefinitely in our secure Supabase database until you choose to delete your account.
  • User Profile: Account information (email, name, preferences) is retained until account deletion.
  • Audio Recordings: Voice recordings are deleted immediately after transcription and are not stored long-term. Only text transcripts are retained.
  • Photos: Selfie photos captured during onboarding are stored locally on your device only and are never uploaded to our servers.

Third-Party Retention:

  • OpenAI: Conversation data sent to OpenAI for AI responses is retained by OpenAI for a minimum of 30 days as per their data retention policy.
  • PostHog: Analytics data is retained according to PostHog's retention policies.
  • Supabase: Database backups may be retained for disaster recovery purposes.

Account Deletion:

When you delete your Healio account:

  • All your data in our Supabase database is permanently deleted, including conversations, journal entries, goals, and memories
  • We cannot delete data already processed by OpenAI (subject to their 30-day retention policy)
  • Analytics data in PostHog may be retained in aggregated form
  • Deletion is irreversible and cannot be undone

To delete your account, go to Settings → Account → Delete Account, or contact us at support@healioapp.com.

8. Your Privacy Rights

You have the following rights regarding your personal data:

  1. Access: Request a copy of all data we have about you
  2. Correction: Update or correct inaccurate information
  3. Deletion: Permanently delete your account and all associated data
  4. Export: Download your conversation history, journal entries, and goals in a portable format
  5. Opt-Out of Tracking: Deny or revoke tracking permission via iOS Settings → Privacy & Security → Tracking
  6. Opt-Out of Specific Features:
    • Disable the memory system in Settings (conversation data still saved, but memories not extracted)
    • Disable text-to-speech voice responses
    • Disable push notifications

How to Exercise Your Rights:

  • In-App: Settings → Account → Manage Privacy or Delete Account
  • Email: support@healioapp.com with subject line "Privacy Request"
  • Response Time: We will respond to privacy requests within 30 days

Data Portability:

When you request a data export, you'll receive:

  • All conversation transcripts
  • Journal entries with summaries and mood data
  • Goals and completion history
  • Memory system data (semantic facts, episodic summaries, topics)
  • Account information (email, name, preferences)

Limitations:

  • We cannot delete data already processed by OpenAI (subject to their 30-day retention policy)
  • Aggregated analytics data may be retained (but cannot identify you individually)
  • Legal or regulatory requirements may require us to retain certain data

9. App Tracking Transparency & Analytics

What is App Tracking?

iOS requires apps to ask your permission before tracking your activity across other companies' apps and websites. This is called App Tracking Transparency (ATT).

What We Track (Only With Your Permission):

When you grant tracking permission via the ATT prompt, we use PostHog analytics to collect:

  • User ID (to understand individual user journeys)
  • Feature usage events (e.g., first chat, first journal entry, first goal created)
  • Signup and login events
  • Subscription and paywall events
  • Device identifiers for analytics purposes

What We DON'T Track:

  • Your therapy conversation content
  • Journal entry details
  • Mood data or health information
  • Activity across other apps or websites
  • Location data

Your Control:

  • When you first open the app, you'll see an ATT prompt asking for tracking permission
  • You can choose "Ask App Not to Track" to deny permission
  • You can change this setting anytime in: iOS Settings → Privacy & Security → Tracking → Healio
  • Denying tracking does not affect core app functionality—you can still use all therapy, journal, and goal features

Why We Use Analytics:

We use analytics to:

  • Understand which features are most helpful
  • Identify bugs and crashes
  • Improve onboarding and user experience
  • Analyze subscription conversion to optimize pricing

10. Children's Privacy

Healio is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or app features. When we make significant changes, we will:

  • Update the "Last Updated" date at the top of this policy
  • Notify you via email (if you've provided one) or in-app notification
  • For material changes (e.g., new third-party services, new data collection types), we may require you to re-consent

Recent Updates (January 2025):

  • Added detailed third-party service provider disclosures (OpenAI, Supabase, PostHog, Superwall)
  • Clarified data retention policies for Healio data and third-party services
  • Added App Tracking Transparency (ATT) explanation
  • Clarified that selfie photos are stored locally only and never uploaded
  • Added memory system data retention details

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

12. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

Email: support@healioapp.com