Privacy Policy

1. Introduction

Heroic Apps LLC ("Company," "we," "us," or "our") operates the Headache Hero mobile application (the "App" or "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App.

We are committed to protecting your privacy and ensuring transparency about our data practices. This Privacy Policy has been drafted to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws worldwide.

Please read this Privacy Policy carefully. By using the App, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the App.

2. Data Controller

For the purposes of the GDPR and other applicable data protection laws, the data controller is:

Heroic Apps LLC
United States
Email: loading...

If you have any questions about this Privacy Policy or our data practices, please contact us using the information provided above.

3. Information We Collect

We collect several types of information for various purposes to provide and improve our Service to you.

3.1 Personal Information You Provide

Account Information:

• Email address (required for account creation)
• Password (stored in encrypted/hashed form by our authentication provider)
• Google account information (if you choose to sign in with Google), including your name, email address, and profile picture

Health and Medical Information:

• Migraine and headache records, including:
  • Date and time of occurrence
  • Duration of migraine episodes
  • Pain intensity ratings (1-10 scale)
  • Pain location on the head/body
  • Triggers you identify (e.g., stress, foods, weather, sleep patterns)
  • Symptoms experienced (e.g., nausea, light sensitivity, aura)
  • Relief methods used and their effectiveness ratings
  • Anti-triggers
  • Threshold scores
• Medications and preventative treatments you are taking, including:
  • Medication names
  • Start and end dates of medication use

User-Generated Content:

• Custom triggers, symptoms, and relief methods you create
• Feedback and support messages you send to us

3.2 Information Collected Automatically

Location Information:

• Approximate (coarse) geographic location based on GPS coordinates
• City/location preference you manually enter
• We use location data solely to provide weather-related features and barometric pressure correlations with your migraine patterns

Weather Data:

• Barometric pressure readings associated with your location
• Weather conditions correlated with your migraine entries

Device and Usage Information:

• Device type, operating system, and version
• App usage patterns and interactions
• Session duration and frequency
• Feature usage statistics
• Crash reports and error logs
• Performance data

Purchase Information:

• Subscription status (free or premium)
• Transaction identifiers (processed through Apple App Store/Google Play Store)
• Purchase history related to in-app purchases
• We do NOT have access to your full payment card details

3.3 Information from Third-Party Services

When you use our App, we may receive information from third-party services:

• Firebase Authentication: Account credentials and authentication tokens
• Google Sign-In: Profile information you authorize us to access
• RevenueCat: Subscription and purchase status
• WeatherAPI.com: Weather and barometric pressure data based on your location

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data based on the following legal grounds under Article 6 of the GDPR:

Special Category Data: Your health information (migraine records, symptoms, medications) constitutes special category data under GDPR Article 9. We process this data based on your explicit consent, which you provide when you voluntarily enter health information into the App. By choosing to log migraine data, you are affirmatively consenting to the processing of that specific health information for the purposes described in this Privacy Policy. You may withdraw this consent at any time by deleting your data or your account.

5. How We Use Your Information

We use the information we collect for the following purposes:

To Provide and Maintain Our Service:

• Create and manage your account
• Enable migraine and headache tracking functionality
• Store and synchronize your health data across devices (via cloud backup)
• Provide weather-based migraine risk assessments
• Generate analytics and insights about your migraine patterns
• Process in-app purchases and manage subscriptions

To Improve Our Service:

• Analyze usage patterns to improve App functionality
• Identify and fix bugs, crashes, and technical issues
• Develop new features and enhancements
• Conduct internal research and analytics

To Communicate With You:

• Send service-related notifications (e.g., account verification, security alerts)
• Respond to your inquiries and support requests
• Send local notifications about migraine patterns and insights (if enabled)
• Send weather-related alerts (premium feature, if enabled)

To Ensure Security and Compliance:

• Detect, prevent, and address technical issues
• Protect against unauthorized access and fraud
• Comply with legal obligations

6. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

6.1 Third-Party Service Providers

We use the following third-party services to operate our App:

Refund Processing: We may share your app usage data with Apple to process refund requests submitted through the App Store.

6.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency), including to:

• Comply with a legal obligation
• Protect and defend our rights or property
• Prevent or investigate possible wrongdoing
• Protect the personal safety of users or the public
• Protect against legal liability

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or prominent notice in the App of any change in ownership or uses of your personal information.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

7. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ from those in your jurisdiction.

If you are located outside the United States and choose to provide information to us, please note that we transfer the data to the United States and process it there.

For EEA/UK/Swiss Users: When we transfer personal data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Transfers to countries with an adequacy decision
• Other legally recognized transfer mechanisms

Our third-party service providers (Firebase/Google, RevenueCat) maintain their own data transfer mechanisms and certifications for international transfers.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements.

Data Deletion: You may delete your data at any time through the App's settings. When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain information for legal or legitimate business purposes.

9. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

9.1 Rights Under GDPR (EEA, UK, Switzerland)

• Right of Access (Art. 15): You have the right to request copies of your personal data.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten").
• Right to Restrict Processing (Art. 18): You have the right to request restriction of processing of your personal data.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): You have the right to object to processing of your personal data based on legitimate interests.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in your country of residence.

9.2 Rights Under CCPA (California Residents)

If you are a California resident, you have the following rights under the CCPA:

• Right to Know: You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Opt-Out of Sale: We do not sell personal information. However, you have the right to opt-out of any future sale of your personal information.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of your sensitive personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

Categories of Personal Information Collected (CCPA Disclosure):

• Identifiers (email address, user ID)
• Personal information under Cal. Civ. Code 1798.80(e) (name)
• Protected classification characteristics (none collected)
• Commercial information (purchase history)
• Biometric information (none collected)
• Internet or network activity (usage data, analytics)
• Geolocation data (approximate location)
• Sensory data (none collected)
• Professional or employment information (none collected)
• Education information (none collected)
• Inferences (migraine pattern analytics)
• Sensitive personal information (health data)

9.3 Exercising Your Rights

To exercise any of these rights, please contact us at:

• Email: loading...
• In-App: Use the data management features in Settings

We will respond to your request within 30 days (or within 45 days for CCPA requests, with possible extension). We may need to verify your identity before processing your request.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption in Transit: All data transmitted between the App and our servers uses TLS/HTTPS encryption.
• Encryption at Rest: Data stored in Firebase services is encrypted at rest.
• Authentication Security: Passwords are hashed and never stored in plain text. We use Firebase Authentication's industry-standard security practices.
• Access Controls: We limit access to personal data to authorized personnel only.
• Regular Security Reviews: We regularly review and update our security practices.
• Secure Third-Party Providers: We use reputable third-party service providers with strong security certifications (e.g., SOC 2, ISO 27001).

Local Device Security: Data stored locally on your device (SQLite database) is protected by your device's built-in security features. We recommend using a device passcode or biometric lock for additional protection.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

11. Children's Privacy

Our App is not intended for children under the age of 13.

We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us immediately at loading....

If we discover that we have collected personal information from a child under 13, we will take steps to delete that information as quickly as possible.

For users between 13 and 16 years of age in the EEA, parental consent may be required under GDPR Article 8. Please ensure you have appropriate authorization before using the App.

12. Third-Party Links and Services

Our App may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites or services you visit.

13. Push Notifications

We may send you push notifications to provide updates, reminders, and information related to the App. You can opt out of receiving push notifications at any time by adjusting your device settings or notification preferences within the App.

Types of notifications we may send:

• Weekly migraine digest summaries
• Pattern detection alerts
• Weather-based migraine risk alerts (premium feature)

14. Analytics and Tracking

We use Firebase Analytics to collect anonymous usage data to help us understand how users interact with our App. This includes:

• Pages/screens viewed
• Features used
• Session duration
• App crashes and errors

This data is aggregated and does not identify individual users. You cannot opt out of essential analytics required for App functionality, but we minimize data collection to what is necessary.

We do not sell, share, or use your personal information for targeted advertising purposes. We do not engage in cross-context behavioral advertising or share data with third parties for their marketing purposes.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by updating the "Last Updated" date at the top of this policy.

We encourage you to review this Privacy Policy periodically for any changes. Your continued use of the App after any modifications indicates your acceptance of the updated Privacy Policy.

16. Do Not Track Signals

Some browsers include a "Do Not Track" (DNT) feature that signals to websites that you do not want to have your online activity tracked. Our App does not currently respond to DNT signals, as there is no industry-standard interpretation for mobile applications.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Heroic Apps LLC
Email: loading...

For GDPR-related inquiries, you may also contact our Data Protection representative at the email address above.

Supervisory Authority: If you are located in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority.

18. Additional Disclosures for Specific Jurisdictions

18.1 Nevada Residents

We do not sell your personal information as defined under Nevada law. If you are a Nevada resident, you may submit a request to opt out of any future sale of your personal information by contacting us at loading....

18.2 Virginia, Colorado, Connecticut, and Utah Residents

If you reside in Virginia, Colorado, Connecticut, or Utah, you may have additional rights under your state's privacy laws, including rights to access, correct, delete, and obtain a copy of your personal data, as well as the right to opt out of targeted advertising (which we do not conduct). To exercise these rights, contact us at loading....

18.3 Brazilian Residents (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Protecao de Dados (LGPD), including the right to access, correct, delete, and port your personal data. To exercise these rights, contact us at loading....

19. FTC Health Breach Notification Compliance

In accordance with the Federal Trade Commission's Health Breach Notification Rule (16 CFR Part 318), we will notify you in the event of a breach of unsecured personally identifiable health information. Notification will be provided:

• Without unreasonable delay and no later than 60 days after discovery of a breach
• Via email to your registered email address
• If the breach affects more than 500 individuals, we will also notify the FTC and prominent media outlets

A "breach" includes unauthorized acquisition of your health data, as well as unauthorized disclosure or sharing of such data without your consent.

20. Data Minimization and Purpose Limitation

In accordance with GDPR principles and privacy best practices:

• We collect only the minimum data necessary to provide our services
• Health data is processed solely for the purpose of migraine tracking and pattern analysis within the App
• We do not use your health data for any secondary purposes without your explicit consent
• We regularly review our data collection practices to ensure compliance with data minimization principles