Privacy Policy

Last Updated:

Habitline is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our app and website.

1. Information we collect

1.1 Information You Provide


**Account Information**

When you create an account (optional — the App works without one), we collect:

- Display name

- Email address (if using email authentication)

- Authentication provider (Apple, Google, or email)


You may use the App without creating an account. Account creation enables cloud sync, cross-device access, and data backup.


**Wellness Check-Ins**

When you complete daily check-ins, we collect the information you provide:

- Sleep quality rating (1-5)

- Energy feeling rating (1-5)

- Stress level rating (1-5)

- Mood selection

- Optional text notes

- Optional voice transcriptions (processed on-device — see Section 1.3)


**Chat Messages**

When you interact with Kora's AI assistant, we store:

- Your messages

- AI-generated responses

- Conversation timestamps


If you are not signed in, chat messages are stored locally on your device only.


**Shield Configurations**

When you set up Shields (app-blocking goals), we store:

- Shield name and type

- Goal parameters (step counts, time targets, etc.)

- Selected app categories to block (stored as anonymized tokens — we cannot see which specific apps you select)

- Shield completion and unlock history


**User Preferences**

- Notification settings

- Sleep and step goals

- Theme preferences


### 1.2 Information Collected Automatically


**Health & Fitness Data (via Apple HealthKit)**

With your explicit permission, Kora reads the following data from Apple HealthKit:

- Sleep analysis (duration, sleep stages: deep, REM, core, awake)

- Heart rate variability (HRV)

- Resting heart rate

- Heart rate

- Step count

- Walking and running distance

- Active energy burned (calories)

- Exercise time


**Important:** We only *read* health data — we never write to HealthKit. Health data is processed on your device to calculate your energy score. Raw health data is never sent to third-party servers. Only computed summaries (e.g., "sleep: 7.5 hours," "HRV: 45ms") may be included in AI chat context if you ask health-related questions.


**Calendar Data (via Apple EventKit)**

With your explicit permission, Kora reads your calendar to provide schedule-aware recommendations:

- Event titles, times, and durations

- Calendar names

- Event locations


Calendar data is analyzed entirely on your device. Only aggregated context (e.g., "3 meetings today, next meeting in 2 hours") is shared with the AI assistant when relevant.


**Screen Time Data (via Apple Family Controls)**

With your explicit permission, Kora uses Screen Time APIs to enable Shield functionality:

- App category selections for blocking

- Shield activation and completion status


App selections are stored as Apple-provided anonymized tokens. Kora cannot identify or access the names or bundle identifiers of the specific apps you select.


**Device & Usage Data**

- Crash reports and diagnostic data (via Firebase Crashlytics — disabled in debug builds)

- App session timestamps (for registration prompt timing)

- Feature usage counts (chat messages sent, shields completed, check-ins completed)


### 1.3 Voice & Speech Data


Kora offers optional voice input for wellness check-ins. When you use this feature:

- Audio is captured and transcribed **entirely on your device** using Apple's Speech Recognition framework

- We request on-device recognition when supported by your device

- **No audio recordings are stored or transmitted**

- Only the resulting text transcription is saved (locally and, if signed in, to your cloud account)

2. How we use your information

We use the information we collect to:


| Purpose | Data Used |

|---------|-----------|

| Calculate your daily energy score | HealthKit data (sleep, HRV, heart rate, steps, activity) |

| Provide personalized AI wellness insights | Health summaries, check-in history, chat context, calendar context |

| Enable Shield (app-blocking) goals | Screen Time selections, health goal progress |

| Track your wellness trends over time | Check-in history, energy scores, shield completions |

| Sync data across your devices | All user-generated data (when signed in) |

| Send proactive notifications | Health summaries, check-in reminders, shield status |

| Process subscription purchases | Account identifier, purchase status |

| Diagnose crashes and improve reliability | Crash reports, device information |

| Personalize your experience | User preferences, AI-learned memories |


We **do not** use your data for:

- Advertising or ad targeting

- Selling to data brokers or third parties

- Building user profiles for marketing

- Training AI models (see Section 3.2)

3. Third-Party Services

  • 3.1 Firebase (Google)


    We use Firebase for backend infrastructure:


    | Service | Purpose | Data Processed |

    |---------|---------|----------------|

    | Firebase Authentication | Account management | Email, name, auth provider |

    | Cloud Firestore | Cloud data storage & sync | User data, chat history, check-ins, shields, energy scores |

    | Firebase Crashlytics | Crash reporting | Crash logs, device model, OS version |

    | Firebase App Check | Security & fraud prevention | Device attestation tokens |


    Firebase's privacy policy: [https://firebase.google.com/support/privacy](https://firebase.google.com/support/privacy)


    ### 3.2 OpenAI


    Kora uses OpenAI's API (GPT-4o-mini) to power the AI wellness assistant.


    **What is sent to OpenAI:**

    - Your chat messages and conversation history

    - Summarized health context (energy score, sleep duration, HRV value, step count — not raw HealthKit data)

    - Summarized calendar context (meeting count, schedule load — not full event details)

    - Previously extracted AI memories (facts, goals, preferences you've shared in conversation)


    **What is NOT sent to OpenAI:**

    - Your name or email address

    - Raw HealthKit data or Apple Health records

    - Your specific app selections for Shields

    - Audio recordings

    - Your full calendar event details


    **OpenAI Data Usage:** Per OpenAI's API data usage policy, data sent through the API is **not used to train OpenAI's models**. See: [https://openai.com/policies/api-data-usage-policies](https://openai.com/policies/api-data-usage-policies)


    ### 3.3 RevenueCat


    We use RevenueCat to manage premium subscriptions.


    **Data processed by RevenueCat:**

    - Anonymous user identifier (linked to your account if signed in)

    - Purchase transactions and subscription status

    - Product pricing information


    RevenueCat's privacy policy: [https://www.revenuecat.com/privacy](https://www.revenuecat.com/privacy)


    ### 3.4 Apple Services


    | Service | Purpose |

    |---------|---------|

    | Sign in with Apple | Authentication (optional) |

    | HealthKit | Health data access (with permission) |

    | EventKit | Calendar access (with permission) |

    | Speech Framework | On-device voice transcription |

    | Family Controls / Screen Time | Shield app-blocking functionality |


    Apple's privacy policy: [https://www.apple.com/privacy](https://www.apple.com/privacy)


    ### 3.5 Google Sign-In


    If you choose to sign in with Google, Google processes your authentication credentials according to their privacy policy: [https://policies.google.com/privacy](https://policies.google.com/privacy)

4. Data Storage & Security

4.1 Where Your Data Is Stored


| Location | Data | Encryption |

|----------|------|------------|

| On your device (UserDefaults) | Check-in history, energy scores, shield configs, preferences, local chat messages | Protected by iOS device encryption |

| Google Cloud Firestore (US) | Account data, chat history, check-ins, shields, energy scores, AI memories | Encrypted at rest and in transit (TLS 1.2+) |

| Apple (HealthKit) | Health and fitness data | Protected by iOS Secure Enclave |


### 4.2 Data Retention


| Data Type | Retention Period |

|-----------|-----------------|

| Account information | Until you delete your account |

| Chat history | Until you clear it or delete your account |

| Wellness check-ins | 90 days locally; indefinitely in cloud until account deletion |

| Energy scores | 30 days locally; indefinitely in cloud until account deletion |

| Health summaries | 14 days in cloud |

| AI memories | Automatically pruned after 30 days if low confidence; otherwise until account deletion |

| Crash reports | 90 days (managed by Firebase) |

| Alert history | 30 days |


### 4.3 Security Measures


- All network communication uses HTTPS/TLS encryption

- Firebase Authentication with industry-standard OAuth 2.0

- Apple Sign-In uses PKCE (Proof Key for Code Exchange) with cryptographic nonce

- Cloud Firestore access rules enforce user-scoped data isolation

- Health data is processed on-device and never stored in plaintext on external servers

- Speech recognition runs on-device when hardware supports it

- Screen Time app selections use Apple's anonymized token system

5. Your Rights & Choices

5.1 Access & Control


You have the right to:


- **Access your data:** View your check-in history, chat history, energy scores, and account information directly in the App

- **Delete your data:** Delete your account and all associated cloud data through the App's settings (Settings > Delete Account)

- **Clear chat history:** Clear your conversation history at any time from the chat screen

- **Withdraw permissions:** Revoke HealthKit, Calendar, Notifications, Screen Time, or Speech Recognition access at any time through iOS Settings

- **Use without an account:** The App functions without creating an account — health data, energy scores, chat (local), and shields all work without sign-in

- **Export your data:** Contact us to request a copy of your data in a portable format


### 5.2 Opt-Out Options


| Feature | How to Opt Out |

|---------|---------------|

| HealthKit data access | iOS Settings > Privacy & Security > Health > Kora |

| Calendar access | iOS Settings > Privacy & Security > Calendars > Kora |

| Speech recognition | iOS Settings > Privacy & Security > Speech Recognition > Kora |

| Screen Time (Shields) | Do not set up Shields, or remove them in the Shield tab |

| Push notifications | iOS Settings > Notifications > Kora |

| Cloud data sync | Use the App without creating an account |

| Crash reporting | Crash reporting is automatic in production; no separate opt-out |

| AI chat | Do not use the chat feature |


### 5.3 Account Deletion


When you delete your account:

1. Your Firebase Authentication account is permanently deleted

2. All cloud data is deleted from Firestore (chat history, check-ins, shields, energy scores, memories)

3. Your RevenueCat subscription data is anonymized

4. Local data on your device is cleared

5. This process is irreversible

6. Children's Privacy

Kora is not directed at children under 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

7. International Data Transfers

If you are located outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States where our cloud infrastructure (Google Cloud / Firebase) is located. By using the App, you consent to this transfer. We ensure appropriate safeguards are in place in accordance with applicable data protection laws.

8. Your Rights Under Specific Laws

8.1 European Economic Area (GDPR)


If you are in the EEA, you have the right to:

- Access, correct, or delete your personal data

- Restrict or object to data processing

- Data portability

- Withdraw consent at any time

- Lodge a complaint with your local data protection authority


**Legal Basis for Processing:**

- **Consent:** HealthKit, Calendar, Speech, and Screen Time access

- **Contract Performance:** Providing App functionality and subscription services

- **Legitimate Interest:** Crash reporting and App improvement


### 8.2 California (CCPA/CPRA)


If you are a California resident, you have the right to:

- Know what personal information is collected and how it is used

- Request deletion of your personal information

- Opt out of the "sale" of personal information — **we do not sell your personal information**

- Non-discrimination for exercising your privacy rights


**Categories of personal information collected** (per CCPA categories):

- Identifiers (name, email)

- Health information (via HealthKit, with consent)

- Internet or electronic network activity (usage data)

- Commercial information (subscription status)

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes:

- We will update the "Last Updated" date at the top

- We may notify you via an in-app notification or email

- Continued use of the App after changes constitutes acceptance


We encourage you to review this policy periodically.

10. Changes to This Policy

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:


Email: reljadev@gmail.com


We will respond to your inquiry within 30 days (or sooner as required by applicable law).

Create a free website with Framer, the website builder loved by startups, designers and agencies.