This privacy policy describes how Heroic ("we", "us" or "our") collects, uses and protects personal data collected from users of our service, "Heroic". We are the data controller for the processing of personal data described in this policy.
We strive to protect users' privacy and security in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR). By using Heroic, you confirm that you have read this privacy policy.
We collect the following personal data from our users:
Name: To identify the user and create a personalised experience.
Email address: For communication and to provide important information about the service.
Profile picture: If the user chooses to upload a profile picture, it is stored with the Cloudinary service for display in the user's profile.
Health and activity data: If you choose to connect external services (e.g. Apple Health, Google Fit, Fitbit, Strava, Withings, Polar or Garmin), we collect the data synchronised from those services. This may include sleep, steps, heart rate, body weight and workouts.
Technical error data: Your anonymised database user ID may be stored in our error monitoring tool Sentry in connection with technical errors, to help us identify and resolve issues in the service.
Device and platform information and IP address: May be collected passively when you use the service, for example during login or API requests.
We use the collected personal data for the following purposes:
Providing the Heroic service (legal basis: performance of a contract, Art. 6.1.b): Personal data is used to create and manage user accounts, synchronise data from external services and display correct information on user profiles.
Communication with users (legal basis: performance of a contract, Art. 6.1.b): We use the email address to send important information about the service, updates and any changes to the terms of service.
Error monitoring (legal basis: legitimate interest, Art. 6.1.f): Anonymised error reports including user ID are stored in Sentry to facilitate troubleshooting and improve the service's stability and performance. Our legitimate interest lies in maintaining a technically stable and secure service.
We do not share users' personal data with third parties without a legal basis, except with the sub-processors required to operate the service:
Cloudinary (USA): Profile pictures and group logos uploaded are stored with Cloudinary for display in the service.
Sentry (USA): Anonymised error reports including database IDs may be sent to Sentry for error monitoring and diagnosis.
Resend (USA): We use Resend solely to send transactional emails (e.g. welcome emails and notifications). Your email address is transferred to Resend only in connection with the sending of the email and is not stored by us with Resend as a contact list. Resend may retain addresses in its own delivery logs in accordance with their privacy policy.
Connected health services (Apple Health, Google Fit, Fitbit, Strava, Withings, Polar, Garmin): During synchronisation, API requests are sent to these services. The processing of data by these third parties is governed by each service's own terms and privacy policy.
Several of our sub-processors – Cloudinary, Sentry and Resend – are based in the USA. Transfer of personal data to the USA takes place on the basis of the European Commission's Standard Contractual Clauses (SCC) or, where applicable, the EU-U.S. Data Privacy Framework. You may request more information about the safeguards applicable to a specific service by contacting us.
We retain users' personal data for as long as the user holds an active account in the Heroic service.
Health and activity data: Retained for the lifetime of the account and deleted when the account is closed.
Technical error logs (Sentry): Retained in accordance with Sentry's standard data retention settings.
Email address for transactional mailings: Transferred to Resend only in connection with the sending of the email. We do not maintain a contact list with Resend; any retention takes place within Resend's own delivery logs in accordance with their terms.
If the user chooses to close their account, all personal data is deleted from our database. However, if the user has been connected to a workplace, an anonymised account and aggregated activity data needed to display correct information on the workplace page will be retained.
If you disconnect from an external service, we reserve the right to delete data from that service within 90 days.
We implement appropriate technical and organisational measures to protect users' personal data against unauthorised access, misuse, loss or destruction. We use encryption methods to secure users' passwords and rely on the security practices of our database provider to protect the collected information.
If you choose to connect one or more external health and activity services to Heroic – such as Apple Health, Google Fit, Fitbit, Strava, Withings, Polar or Garmin – we collect the data we assess as necessary to present as accurate a picture of your activity as possible. Data that may be retrieved includes sleep, steps, heart rate, body weight and workouts.
Heroic uses this data solely to display information within the service. We do not write new data back to the external services.
Heroic's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Under GDPR, you as a user have the following rights regarding your personal data:
Right of access (Art. 15): You have the right to request information about what personal data we process about you.
Right to rectification (Art. 16): You have the right to request that incorrect data be corrected.
Right to erasure (Art. 17): You may request that we delete your personal data. Please note that this may affect certain features of the service.
Right to restriction (Art. 18): You may request that the processing of your data be restricted in certain situations.
Right to data portability (Art. 20): You have the right to receive your personal data in a structured, machine-readable format and to transfer it to another data controller.
Right to object (Art. 21): You have the right to object to processing based on legitimate interest.
Right to withdraw consent: Where processing is based on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
Right to lodge a complaint: You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY), which is the supervisory authority in Sweden. More information is available at www.imy.se.
Please note that depending on the circumstances, certain limitations or exceptions to these rights may apply.
We reserve the right to amend this privacy policy at any time. Any changes will be published on our website or communicated to you by email or other appropriate channels. We recommend that you regularly review the privacy policy to stay informed of any changes.
If you have questions, concerns or wish to exercise your rights regarding the processing of your personal data, please contact us. We will respond to your request within one month (30 days) in accordance with GDPR Art. 12.
Email: kontakt@heroic.se