Privacy Policy
1. Introduction
Hekta ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect when you use the Hekta iOS application ("App"), how we use it, how we share it, and your rights regarding that information.
By using the App, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the App.
Hekta is operated by an individual developer based in Washington State, United States.
2. Information We Collect
2.1 Account Information (Apple or Google Sign-In)
Hekta supports Sign in with Apple and Sign in with Google. When you sign in, we receive and store:
- Provider user identifier: An opaque, app-specific identifier assigned by Apple, or your Google account identifier. We cannot use these identifiers to look you up in any other service.
- Internal Hekta user ID: A server-generated UUID that we create and associate with your provider identifier.
- Email address: Shared by Google Sign-In by default. Apple does not share your email address unless you explicitly choose to share it on first sign-in; even then, we store it only to associate it with your account and do not use it for marketing.
- Full name: May be provided by Apple or Google on first sign-in only. We use it solely to pre-populate your in-app nickname and do not retain it separately after that.
- Nickname: A display name you choose within the App (may or may not be your real name — your choice).
- Avatar: An emoji character you select to represent yourself.
2.2 Challenge and Activity Data
When you use the App, we store:
- Daily log entries: the date, your rep count or habit completion status, your daily target value, and any skip reason text you enter
- Streak data: your current streak count, including a cached streak value stored per group membership
- Group membership: which group challenges you belong to, your role (owner or member), and your participation history
- Challenge metadata: challenge name, type, start date, total days, metric type, and theme color
- Group activity feed entries: events such as member completions, cheers, congrats messages, and theme changes — stored to populate the in-group activity feed
- Push notification preferences: which notification categories you have enabled (daily reminders, streak alerts, group completion, cheers), stored server-side to determine which notifications to send
2.3 Device Information
- Push Notification Token (APNs): If you enable push notifications, we store your Apple Push Notification service (APNs) device token to send you reminders and alerts. This token is specific to your device and the App; it does not identify you personally.
- Push notification preferences are stored server-side (see Section 2.2) and are separate from the device token — they let us know which types of notifications you want.
2.4 Advertising Data (Google AdMob)
The free version of Hekta displays banner advertisements served by Google AdMob. With your permission, Hekta shows you personalized ads. The App asks for that permission through Apple's App Tracking Transparency prompt before accessing your device's Identifier for Advertising (IDFA), which AdMob uses to personalize and measure ads across other companies' apps and websites. If you decline, you still see ads, but they are not personalized and no IDFA is used.
To serve and measure those banners, the AdMob SDK may collect:
- A device identifier, including the IDFA once you allow tracking, used for ad delivery, personalization, frequency capping, measurement, and fraud prevention
- Approximate location, derived from your IP address (not your device's GPS)
- Ad interaction data (for example, whether an ad was shown or tapped)
- Device and OS information and basic diagnostics
This data is collected and processed by Google under its own privacy policy, and we do not receive or control it. You can change your tracking choice at any time in iOS Settings under Privacy and Security, then Tracking. Turning tracking off returns your ads to non-personalized. To stop seeing ads entirely, which also stops the AdMob SDK from loading, remove ads through a Hekta Plus subscription or the one-time ad-removal purchase.
2.5 Subscription and Purchase Data
If you purchase a Hekta subscription, we store subscription entitlement records associated with your account, including:
- Apple original transaction identifier and product identifier
- Purchase date, expiration or renewal date, and subscription status
- Environment (sandbox or production)
Apple processes all payments and we do not have access to your payment card details, Apple ID password, or billing information. We use this data solely to grant and enforce subscription entitlements within the App.
2.6 Analytics and Diagnostics (Google Firebase)
Hekta uses Google Firebase to understand how the App is used and to keep it stable:
- Usage analytics: We record in-app events — for example, signing in, completing a habit, creating or joining a challenge, opening an invite link, and screen views — associated with your internal Hekta user ID. You can turn analytics off at any time in the App's settings.
- Crash and performance diagnostics: We collect crash reports and basic performance data through Firebase Crashlytics to find and fix bugs. These diagnostics are always on and are not linked to your identity.
We do not use this data to track you across other companies' apps or websites.
3. Information We Do NOT Collect
To be explicit, Hekta does not collect or store:
- Your email address — unless shared with us via Sign in with Google, in which case we store it only to associate it with your account and do not use it for marketing
- Your real name or government-issued ID — a name is used only to pre-fill your nickname on first sign-in (if provided by Apple or Google) and is not retained separately
- Your precise or approximate GPS location
- Health or fitness data from Apple Health, HealthKit, or any wearable device
- Photos, videos, or microphone recordings
- Biometric data (Face ID, fingerprint data, etc.)
- Financial or payment card information
- Contacts or address book data
- Browsing history outside the App
All fitness metrics in Hekta (e.g., push-up counts, meditation minutes) are entered manually by you — we do not access any device sensors or Apple Health data.
4. How We Use Your Information
We use the information we collect to:
| Purpose | Data Used |
|---|---|
| Authenticate your identity and maintain your account | Provider user identifier, internal Hekta user ID |
| Display your profile to group members | Nickname, avatar |
| Sync your challenge progress across sessions | Daily logs, streak data, group membership |
| Send push notifications (reminders, streak alerts, group activity, cheers) | APNs push token |
| Deliver only the notification types you've opted into | Push notification preferences |
| Enable group challenge features (progress sharing, activity feed) | Logs, streaks, group membership, activity feed entries |
| Manage subscription entitlements | Subscription record (Apple original transaction ID, product, dates, status) |
| Serve advertisements to free users | Handled by AdMob (see Section 2.4) |
| Investigate abuse, enforce our Terms of Service, and protect users | Any relevant data |
| Improve and maintain the App | Aggregated, de-identified usage patterns |
We do not use your data for automated decision-making that produces legal or similarly significant effects.
5. How We Share Your Information
5.1 With Other Users (Group Challenges)
When you join a group challenge, the following is visible to all members of that group:
- Your nickname and avatar
- Your current streak count and daily target value
- Your daily log entries (completion status, rep count for each day)
- Your participation status and role in the group
- Group activity feed events you generate (e.g., completing your daily target, sending a cheer, or changing the group theme)
Do not include sensitive personal information in your nickname, challenge name, skip reason text, or any other free-text field.
5.2 Service Providers
We share data with the following third-party service providers who process data on our behalf:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Cloud database and authentication backend | All data stored in the App |
| Apple (Sign in with Apple, APNs, App Store / StoreKit) | Authentication, push notification delivery, and subscription processing | Provider user identifier, APNs push token, notification content, subscription transaction records |
| Google (Sign in with Google) | Authentication when chosen | Google account identifier, email address, and display name (if shared) |
| Google AdMob | Advertising (free tier) | See Section 2.4 — AdMob operates independently |
| Google Firebase (Analytics, Crashlytics) | Usage analytics and crash/performance diagnostics | In-app event names, internal Hekta user ID, crash and performance diagnostics (see Section 2.6) |
Supabase processes data as our data processor and is contractually bound to process your data only as directed by us and in accordance with applicable privacy law.
5.3 Legal Requirements
We may disclose your information if required to do so by law, legal process, or government request, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a legal claim.
5.4 Sale and Sharing of Personal Data
We do not currently sell your personal data. If that ever changes, we will tell you in advance and, where the law requires it, ask for your consent or give you a way to opt out before we do.
Separately from the service providers in Section 5.2 who process data on our behalf, we share one category of data for advertising today. If you allow tracking through the App Tracking Transparency prompt, Google AdMob receives your device Identifier for Advertising (IDFA) to personalize the banner ads shown on the free tier (see Section 2.4). Under some privacy laws, including the California CPRA, sharing an advertising identifier to personalize ads across other companies' apps and websites is treated as cross-context behavioral advertising. You can stop this at any time by turning off tracking in iOS Settings under Privacy and Security, then Tracking, or by removing ads through Hekta Plus or the one-time ad-removal purchase.
5.5 Business Transfers
If Hekta is involved in a merger, acquisition, financing, reorganization, or sale of all or part of its assets, your personal data may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data, and the data will remain subject to the commitments in this Privacy Policy unless you are told otherwise in advance.
5.6 Aggregated and De-identified Data
We may create and use aggregated or de-identified information that no longer identifies you, for example statistics showing which habits and challenges are most common across all users. We commit to maintaining and using this information only in de-identified form, and we will not attempt to re-identify it. Any public statistics we share are prepared so they do not identify an individual user or group.
6. Push Notifications
If you grant notification permissions, we store your APNs device token in our Supabase database to deliver:
- Daily challenge reminders (at your configured time)
- Streak alerts (before your streak resets)
- Group completion broadcasts
- Cheer notifications from group members
To opt out: Go to iOS Settings > Notifications > Hekta and disable notifications, or adjust settings within the App. Disabling notifications does not delete your account or data.
When you delete your account, your APNs token is removed from our database.
7. Data Retention
- While your account is active: We retain your data to operate the App and provide the Service.
- After account deletion: We will delete your account data from our active databases within 30 days of your deletion request. Residual copies in backups may persist for up to 90 days before being overwritten.
- Group data: When you request full account deletion, we remove your group memberships, daily log entries, push tokens and notification preferences, purchase records, and stored Apple sign-in credentials. Entries you generated in a group's activity feed (such as cheers and achievements) are anonymized — detached from your identity — so the remaining members' group history stays intact. A group left with no members is deleted.
8. Children's Privacy
Hekta is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are under 13, do not use the App.
If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at hektachallenge@gmail.com.
This practice is in compliance with the Children's Online Privacy Protection Act (COPPA).
9. Your Privacy Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request that we correct inaccurate or incomplete data.
- Deletion: Request that we delete your account and personal data.
- Portability: Request your data in a machine-readable format where technically feasible.
- Opt-out of ad tracking: Hekta shows personalized ads only if you allow tracking through the App Tracking Transparency prompt. You can withdraw that permission at any time in iOS Settings under Privacy and Security, then Tracking, which returns your ads to non-personalized. To remove ads entirely, subscribe to Hekta Plus or make the one-time ad-removal purchase. You can also turn off usage analytics in the App's settings.
California Residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete your personal information, the right to opt out of the sale or sharing of your personal information, and the right not to be discriminated against for exercising these rights. As described in Section 5.4, the only sharing we do today is the personalized-ad IDFA sent to Google, which the CPRA treats as cross-context behavioral advertising. You can opt out of that sharing at any time by turning off tracking for Hekta through the App Tracking Transparency prompt or in iOS Settings under Privacy and Security, then Tracking.
To exercise any of these rights, contact us at hektachallenge@gmail.com. We will respond within 30 days.
10. Data Security
We take reasonable measures to protect your data:
- Data is stored on Supabase, which uses industry-standard encryption at rest and in transit (TLS/HTTPS)
- Access to the database is restricted and governed by Row-Level Security (RLS) policies — users can only access data they are authorized to see
- Your Apple User Identifier is an opaque token that cannot be reversed to reveal your Apple ID
No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
11. Third-Party Links and Services
The App integrates with third-party services (Supabase, Google AdMob, Apple). This Privacy Policy does not apply to those third parties' own data collection practices. We encourage you to review their privacy policies:
12. International Users
Hekta is operated from the United States. If you are accessing the App from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.
European Users (GDPR): Our legal basis for processing your data is the performance of our contract with you (that is, providing the App). For personalized advertising on the free tier, our legal basis is your consent. In the European Economic Area and the UK, we collect that consent through a Google-certified consent form shown before any ad loads, in addition to Apple's App Tracking Transparency prompt. You can withdraw consent at any time in iOS Settings, which returns your ads to non-personalized, or remove ads entirely through Hekta Plus or the one-time ad-removal purchase. For usage analytics, our legal basis is your consent, which you can withdraw in the App's settings. You may have additional rights under GDPR including the right to lodge a complaint with your local supervisory authority.
If we ever sell or share your personal data beyond the practices described in this policy, our legal basis for that processing will be your explicit consent. We will collect that consent before any such sale or sharing, and you can withdraw it at any time.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this document. Material changes will be communicated through an in-app notice or a prompt at next app launch. Your continued use of the App after changes take effect constitutes your acceptance of the revised policy.
14. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Email: hektachallenge@gmail.com
We will respond to privacy-related inquiries within 30 days.
This Privacy Policy was last updated on June 29, 2026.