What we collect, what we don’t, and why.

Heir is operated by YOUR LEGAL ENTITY NAME(“Heir,” “we,” “us”), a company registered in YOUR JURISDICTION, with a registered address at YOUR REGISTERED ADDRESS.

For any privacy question, request, or concern, write to privacy@heir.health. We respond within thirty days.

• We collect what we need to make Heir useful to you, and nothing more.
• We do not sell your data. We do not share it with advertisers.
• We do not use your data for targeted advertising or profile-based ad networks.
• Health-related data — including check-ins, scans, supplement stack, cycle and reproductive information, and any data read from Apple HealthKit — is treated with the highest care. HealthKit data is read only with your explicit permission and is never used for advertising, never sold, and never disclosed to a third party except to operate the service you asked us to provide.
• You can export your data and delete your account from inside the app at any time.
• Heir is built for adults. You must be 18 or older to use it.

3.1 Account data

When you sign up, our identity provider (Clerk) stores: your email address; a hashed user identifier; the authentication method you chose (Sign in with Apple by default); your account creation, sign-in and password-change timestamps; and, if you provide them, a display name and profile photo.

3.2 Profile and onboarding data

During onboarding and on the Profile page, you may provide: first and last name; age or age range; biological sex; height; weight; primary health goal; relationship to health; body instinct; symptoms you experience; familiar health modalities; dietary style; food intolerances or avoidances; sustainable daily effort level; morning reminder time; ambient-sound and evening-color preferences; and free-text notes about your context.

If you opt into the cycle questions: average cycle length and the start date of your most recent menstrual period. Cycle and reproductive information receives heightened protection — see Section 9.

3.3 Daily check-in data

Each morning, if you choose to check in, we store: the date; your one-to-five ratings for energy, mood, and sleep; and an optional free-text note (“Anything on your mind?”). The free-text note is processed by our hard-coded safety regex before any AI ever sees it — see Section 7.

3.4 Today’s Read data

Each time we generate a Today’s Read for you, we store: the three sourced actions returned to you, the citations used, and the inputs that produced them (your check-in, your profile, and retrieved sources). We retain these so you can revisit a past read and so we can audit safety regressions.

3.5 Food-scanner data

When you scan a barcode, we send the barcode to public catalogs (Open Food Facts, USDA FoodData Central, Nutritionix) and store the product lookup result, the verdict our engine produced, the reasoning it surfaced, and a record of the scan tied to your account. Camera frames are processed on-device by Apple’s VisionKit and are never sent to our servers.

3.6 Stack (supplements) data

Supplements you add to your Stack are stored with: brand, product name, form, dose, servings per bottle, purpose tags, optional barcode, third-party-testing markers, and your taking schedule. The optional monthly cost you enter for Heir Care is stored locally on your device only.

3.7 Heir Care data

When you set up Heir Care, you provide: a monthly budget; an activity profile; an optional safety gate (medications, diagnosed conditions, allergies, and a pregnancy/nursing flag); and optional manually-entered laboratory values. Safety-gate text, lab values, and supplement costs you backfill are stored locally on your device only — they are not transmitted to our servers in v1. The Heir Care recommendation engine runs entirely on-device.

3.8 Library reads

We record which corpus sources you opened and how long the read lasted, in aggregate, to improve recommendation quality. Individual reading sessions are not exposed to anyone other than you.

3.9 Prayer Room data

Prayers you share to the community are visible to all signed-in users, with the attribution you chose (your first name, “A friend,” or anonymous). “Just me” prayers are visible only to you. Lift counts are public; who lifted a prayer is private.

3.10 Subscription data

If you subscribe, Stripe processes the payment and gives us: your customer identifier, subscription identifier, plan, status, and billing event timestamps. Card numbers and full billing details are held by Stripe; we never see or store them. iOS in-app purchases are processed by Apple’s StoreKit; we receive only the validated subscription state.

3.11 Apple HealthKit data

If you grant permission, Heir reads from Apple HealthKit on-device: last-night sleep duration, recent heart-rate variability (SDNN), and recent resting heart rate. Heir does notread your cycle from HealthKit in v1 — cycle data is collected from your own answers to the onboarding questions.

We comply with all Apple HealthKit privacy requirements. HealthKit data is never used for advertising; is never sold, rented, or transferred for advertising; is never shared with data brokers; and is never disclosed to a third party except as required to provide the service you asked for or as required by law.

3.12 Device, diagnostic, and product-improvement data

PostHog records anonymous, aggregated product analytics — which screens are opened, which features are used, conversion events — tied to a random identifier, not your name or email. Sentry records crashes and runtime errors with stack traces and minimal device information for diagnostics. Neither service receives the contents of your check-ins, your reads, your scans, your stack, your Care inputs, or your HealthKit data.

We use your data for these purposes only:

• To operate the features you signed up for.
• To personalize your Today’s Read, food-scan verdicts, and Heir Care portfolio against your goal, your symptoms, your cycle phase, and your recent check-ins.
• To run the hard-coded safety regex layer on every check-in before any AI sees it.
• To process subscriptions, prevent fraud, and resolve billing issues.
• To send you transactional emails (sign-in confirmations, billing receipts, account changes). We do not send marketing email unless you separately opt in.
• To detect and respond to safety, abuse, or security incidents.
• To comply with the law.
• To improve Heir, in aggregate, using anonymized signals only.

We do not use your data to: train external AI models on identified content; build a profile of you for advertising partners; sell or rent your data; or share your data with people-search or data-broker services.

To operate Heir we rely on the following third-party processors. Each is bound by a Data Processing Agreement (or equivalent), and each has access only to the data category required to perform its function.

We update this list as our processors change. Material changes appear here at least thirty days before they take effect.

Heir’s primary database (Supabase Postgres) and application servers (Vercel) are hosted in the United States. AI inference is routed through Vercel AI Gateway to Anthropic’s US-based endpoints. If you use Heir from outside the United States, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (and equivalents) with our processors where required.

Any free-text you write into Heir — check-in notes, profile notes, Heir Care safety-gate fields — is passed through a hard-coded safety regex layer before any AI model is invoked. If the layer detects an indicator of self-harm, suicidal ideation, or a medical emergency, the AI is bypassed entirely and you receive an escalation screen with clinician and crisis-line contacts. The trigger text itself is logged in an access-controlled audit table so we can review and refine the escalation logic.

Today’s Read, Long Reads, and the scanner’s personalization are generated by Anthropic’s Claude models, routed through Vercel AI Gateway. We use retrieval-augmented generation: the AI is shown only short excerpts from a curated 20-book corpus we have ingested, and is constrained at the schema level to cite only sources we retrieved. Anthropic does not train its models on data submitted through the API.

The Heir Care recommendation engine is not an AI: it is a transparent rules-based table that you can read in our source code. There is no LLM in the loop and no model decides what you see in your portfolio.

We recognize that menstrual-cycle and reproductive information is sensitive, and that the legal landscape around it changes. We handle this category with the strongest protection we offer:

• Cycle data is collected only if you provide it. The cycle onboarding step is conditional and can be skipped.
• We never sell, rent, or transfer cycle, reproductive, or pregnancy/nursing information to anyone, for any purpose, ever.
• We do not use this data for advertising, will not allow any future advertising partner to receive it, and do not combine it with third-party data brokers.
• We do not voluntarily disclose this data to law enforcement, prosecutors, or any government authority. If we receive a legally binding demand we believe is valid — for any user data, but especially this category — we will: (a) notify the affected user unless prohibited by law, (b) attempt to narrow the demand, and (c) involve counsel before producing anything.
• On account deletion (Section 11), cycle and reproductive fields are deleted along with the rest of your profile.

If you want to use Heir without entering cycle data, you can. Skip the cycle step in onboarding, and food-scan personalization will fall back to a non-cycle baseline.

Wherever you live, you have the right to:

• Access the data we hold about you. Email privacy@heir.health and we will return your records within thirty days.
• Export your data in a machine-readable format.
• Correct inaccurate or incomplete data. Most fields can be edited directly in the app.
• Deleteyour account and all associated personal data, directly from the app (Profile → Account → Delete account) or by emailing us. See Section 11.
• Withdraw consentfor HealthKit at any time, in iOS Settings → Privacy & Security → Health → Heir.
• Object to specific processing or restrict it.
• Lodge a complaint with your data protection authority. EU users may complain to their national authority; California users may contact the California Privacy Protection Agency.

For California users: you have the right not to be discriminated against for exercising your CCPA/CPRA rights. We do not sell or share your personal information for cross-context behavioral advertising, and we do not knowingly process the personal information of anyone under sixteen for any sale or sharing purpose.

You can delete your account at any time from inside the app: Profile → Account → Delete account. Deletion is permanent. Within thirty days we delete:

• Your profile row and all dependent rows (cascade).
• Your check-ins, reads, scans, library reads, and prayer rows.
• Your Stack rows: supplements, bottles, schedules, intakes.
• Your Heir Care fields and any local data stored on the device.

What we retain after deletion, and for how long:

• Billing records with Stripe: retained for the period required by tax and accounting law (typically seven years in the United States). Your Stripe customer record is marked heir_deleted=true so it is excluded from any future processing.
• Anonymized analytics (PostHog): retained without your user identifier. We cannot disentangle your past anonymous events from the aggregate.
• Audit logs and backups for security and integrity purposes, retained for up to ninety days, then purged.

If you don’t use Heir for twenty-four consecutive months, we will email you and, if you don’t respond, delete your account.

Data in transit is protected by TLS 1.2 or higher. Data at rest in Supabase is encrypted. Every database table that holds user data is covered by Postgres Row-Level Security, scoped to your authenticated identity, so users cannot read or modify another user’s data. Production secrets are stored encrypted with our hosting provider and rotated when team membership changes.

No system is perfectly secure. If we discover a breach affecting your personal data, we will notify you and, where required, the relevant data protection authority, within the timeframes the law imposes.

Heir is not intended for anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us personal information, contact privacy@heir.health and we will delete it.

On the marketing website (heir.health), we set strictly-necessary cookies and use PostHog for first-party analytics with anonymized identifiers. The iOS app does not use cookies. The iOS app does not use any tracking framework defined by Apple’s App Tracking Transparency policy, and we do not request a tracking permission prompt.

We may update this policy as Heir evolves. When we do, we will update the “Last updated” date at the top. For material changes, we will surface a notice in the app and email you at the address associated with your account before the change takes effect.

For any privacy question, request, or concern, write to privacy@heir.health.

For EU residents, you may also contact our EU representative at EU REPRESENTATIVE NAME AND ADDRESS.

For California residents exercising rights under the CCPA/CPRA, the same email address is the designated channel.