Privacy Policy

Last updated: January 5, 2025

1. Introduction

Welcome to Helmly ("we," "our," or "us"). We are committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our life goal management application and services (the "Service").

By using Helmly, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name
  • Email address
  • Authentication credentials (securely hashed)
  • Profile information you choose to provide

2.2 Health and Fitness Data

To help you track and achieve your health goals, we may collect health-related data that you voluntarily provide or authorize us to access through connected devices and services. This includes:

  • Body Metrics: Weight, body fat percentage, muscle mass, waist circumference
  • Activity Data: Workouts, cardio sessions, steps, distance, calories burned
  • Nutrition Data: Food intake, calories, macronutrients (protein, carbs, fat), water consumption
  • Sleep Data: Sleep duration, sleep quality, sleep stages, bedtime and wake time
  • Vital Signs: Heart rate, resting heart rate, heart rate variability (HRV), blood pressure, blood oxygen (SpO2)
  • Readiness and Recovery: Recovery scores, readiness scores, strain levels

2.3 Data from Third-Party Services

With your explicit authorization, we may collect health and fitness data from third-party devices and services you choose to connect, including but not limited to:

  • Oura Ring: Sleep data, readiness scores, activity data, heart rate, HRV, body temperature trends
  • Apple Health: Activity, workouts, body metrics, sleep, heart rate
  • Fitbit: Activity, sleep, heart rate, body metrics
  • Garmin: Activity, workouts, sleep, heart rate
  • Google Fit: Activity, workouts, body metrics

When you connect a third-party service, you will be asked to authorize specific data access. We only collect data you explicitly authorize and need for the Service's functionality.

2.4 Goal and Progress Data

We collect data related to your personal goals and progress, including:

  • Health, wealth, work, and happiness goals
  • Habits and habit tracking data
  • To-do items and task completion
  • Metrics and measurements you track
  • Notes and reflections

2.5 Financial Data (Wealth Pillar)

If you use our wealth tracking features, we may collect:

  • Account names and types (not account numbers)
  • Account balances you manually enter
  • Income and expense categories
  • Financial goals and progress

Important: We do not access your bank accounts directly. All financial data is manually entered by you and stored securely.

2.6 Usage Data

We automatically collect certain information when you use our Service:

  • Device information (type, operating system)
  • Browser type and version
  • Pages visited and features used
  • Time and date of visits
  • Error logs and performance data

3. How We Use Your Information

We use your information for the following purposes:

  • Provide and maintain the Service: Display your goals, track progress, and provide insights
  • Personalize your experience: Customize recommendations and goal suggestions
  • Improve our Service: Analyze usage patterns to enhance features and fix issues
  • Communicate with you: Send important updates, respond to inquiries, and provide support
  • Ensure security: Protect against unauthorized access and abuse

We do not sell your personal data. We do not share your health data with third parties for their marketing purposes.

4. Data Storage and Security

4.1 Storage

Your data is stored on secure servers using industry-standard encryption. We use PostgreSQL databases hosted on secure cloud infrastructure with encryption at rest and in transit.

4.2 Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Encryption of data in transit (TLS/SSL) and at rest
  • Secure authentication using Firebase Authentication
  • Regular security audits and updates
  • Access controls limiting who can access data
  • Secure password hashing (bcrypt)

4.3 Data Breach Response

In the event of a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law within 72 hours of becoming aware of the breach.

5. Data Sharing and Disclosure

We may share your information only in the following circumstances:

  • With your consent: When you explicitly authorize sharing
  • Service providers: With trusted third parties who help us operate the Service (hosting, analytics), under strict confidentiality agreements
  • Legal requirements: When required by law, court order, or governmental authority
  • Business transfers: In connection with a merger, acquisition, or sale of assets, with continued protection of your data

6. Your Rights and Choices

You have the following rights regarding your personal data:

6.1 Access and Portability

You can access your data at any time through the Service. You may request a copy of your data in a portable format.

6.2 Correction

You can update or correct your personal information through your account settings.

6.3 Deletion

You can request deletion of your account and personal data. Upon request, we will delete your data within 30 days, except where we are required to retain it by law.

6.4 Disconnect Third-Party Services

You can disconnect any connected third-party services (like Oura or Apple Health) at any time through your account settings. Upon disconnection, we will stop collecting new data from that service.

6.5 Opt-Out

You can opt out of non-essential communications through your account settings or by using the unsubscribe link in emails.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide you with the Service. If you delete your account, we will delete your personal data within 30 days, except:

  • Aggregated, anonymized data that cannot identify you
  • Data we are required to retain for legal or regulatory purposes
  • Backup copies, which are deleted within 90 days

8. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it immediately.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy and applicable laws.

10. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

  • Email: privacy@helmly.app

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information we collect, use, and share
  • Right to delete your personal information
  • Right to opt-out of the sale of personal information (we do not sell your data)
  • Right to non-discrimination for exercising your privacy rights

14. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR):

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to withdraw consent at any time

The legal basis for processing your data includes: performance of a contract (providing the Service), your consent (for health data collection from third-party services), and legitimate interests (improving the Service and security).