HAC Privacy Notice

1. Information We Collect

The following table describes each category of data we collect, whether it is required or optional, the purposes for which it is used, and the categories of recipients.

We do not collect precise geolocation, biometric identifiers, professional/employment information, education information, or financial account numbers. HAC does not receive or store payment card details; billing is managed entirely by Apple and Google.

Menstrual/reproductive data is listed as “required” in the table above because the Service’s core functionality—hormone-informed, cycle-aware training insights—cannot operate without it. Health data consent is required to complete account creation. If you do not wish to consent to health data processing, you will not be able to create an account or use the Service.

2. How We Use Your Information

2.1 Core Service (Required Processing)

Account creation and authentication; generating personalized training, recovery, and nutrition insights; cycle predictions and pattern tracking; data visualization; subscription management; customer support; and security monitoring.

2.2 Model Training and Improvement

• Individualized personalization: Your identifiable, account-level data is processed to generate your personal insights. This is core Service functionality.
• General model improvement: De-identified and/or aggregated data improves algorithm accuracy across the user population. Individual account-level data is not used in identifiable form for general model training.
• Quality assurance: De-identified data may be used to test new features before release.
• Internal algorithm research: Improving prediction models and developing new analytical approaches.
• Product analytics: Usage data (feature interactions, not health data) informs product decisions.

De-identified datasets used for model improvement and quality assurance are access-restricted to authorized personnel only. Where any re-identification key or linkage table exists, it is stored separately from de-identified datasets with restricted access controls. De-identified data is never used for advertising, third-party audience building, or any purpose inconsistent with the uses described above.

2.3 Research (Optional Processing)

Subject to your separate, optional research consent, de-identified and/or aggregated data may be used for research collaboration with academic institutions and publication of findings. Published research never identifies individuals.

2.4 Communications

Transactional communications are required. Marketing communications are optional and require your consent.

2.5 Security and Legal Compliance

Fraud and incident detection, safety protection, Terms enforcement, and legal compliance.

3. How We Share Your Information

We do not sell your personal information to third parties.

3.1 Service Providers

We confirm that: no analytics or error-monitoring SDK receives raw menstrual, hormone, or health-platform data unless disclosed above; no SDK contract grants the provider rights inconsistent with our “no sale” and limited-use commitments; and our app store privacy nutrition labels are aligned with these disclosures.

All service providers with access to user data are contractually required to promptly notify HAC of any security incident affecting HAC user data, as described in Section 6.3.

3.2 Research Partners (De-Identified Data Only)

Subject to your research consent, we may share de-identified and/or aggregated data with research partners. Partners are contractually prohibited from attempting re-identification.

3.3 Third-Party Integrations

Data flows with connected services (Apple Health, Google Health Connect, third-party hormone testing providers, etc.) are governed by the permissions you grant. You can disconnect at any time.

3.4 Legal Requirements

We may disclose information to comply with valid legal obligations, respond to lawful government requests, prevent harm, or enforce our Terms of Use.

3.5 Business Transfers

In the event of a merger, acquisition, or similar transaction, your information may be transferred. Where practicable and legally permitted, we will provide at least thirty (30) days’ notice and the opportunity to delete your account before the transfer.

4. Data De-Identification and Research

4.1 De-Identification Methods

When we use data for model improvement, research, or publication, we apply de-identification methods designed to reduce the likelihood of re-identification:

• Removal of direct identifiers: As a methodological benchmark, we remove the 18 categories of identifiers specified under the HIPAA Safe Harbor standard (45 CFR 164.514(b)(2)). This is a de-identification methodology we adopt voluntarily; it does not mean HAC is subject to HIPAA or has obtained formal HIPAA certification.
• Aggregation: Where possible, data is combined across many users to create statistical patterns.
• Generalization: Specific values are converted into ranges (e.g., age ranges, geographic regions).
• Data minimization: Only the minimum data necessary for the specific purpose is extracted.

We describe this data as “de-identified” rather than “anonymous” because no de-identification technique can guarantee zero residual risk with absolute certainty, particularly for rich, longitudinal health datasets. We continuously evaluate our techniques as methods and re-identification risks evolve.

4.2 Contractual Protections

We commit not to attempt to re-identify individuals from de-identified data. We contractually require every research partner and downstream recipient to make the same commitment and implement reasonable safeguards.

4.3 Distinction Between Uses

• Internal model improvement: De-identified data used to tune algorithms. Stays within HAC’s systems. Access-restricted.
• Research collaboration: De-identified datasets shared with external partners under contract. Partners may not attempt re-identification.
• Publication: Only aggregated findings. Individual-level records are never published.

4.4 No Sale of Personal Data

We do not sell personal information. We do not receive payment from research partners for user data.

4.5 Research Consent and Withdrawal

Research consent is separate and optional. You can change your preference at any time. Withdrawal applies to future research only.

5. Your Privacy Rights and Choices

5.1 Access and Portability

Access your data through account settings or by contacting us. Request a portable copy (CSV/JSON). We respond within thirty (30) days.

5.2 Correction

Correct information through account settings or by contacting us.

5.3 Deletion

Delete your account through the App or by contacting us. Active deletion within 30 days, backup purge within 90 days. Exceptions: legally required retention (e.g., payment records for 7 years), fraud prevention, and de-identified data.

5.4 Withdrawal of Consent

You may withdraw health data consent at any time through account settings. Effects:

• Service impact: Because health data processing is required for the Service’s core functionality, withdrawing consent will effectively end your ability to use the Service. You may still access your account to view or export historical data, or to delete your account.
• Historical data: Previously entered data remains visible in read-only form until you delete your account or request deletion.
• Identifiable data: Retained in inactive status unless you request deletion. Upon request, removed from active systems within 30 days and backups within 90 days, except where required by law.
• De-identified data: Not affected by withdrawal.
• Prior processing: Not retroactively affected.

You may also withdraw research consent separately without affecting Service functionality.

5.5 Appeal

If we deny a privacy request, you may appeal by contacting us. We respond within sixty (60) days. If denied, you may contact your state’s regulatory authority.

5.6 Identity Verification and Authorized Agents

To protect your privacy, we may require reasonable verification of your identity before processing a privacy rights request. If you submit a request through an authorized agent, we may require the agent to provide proof of written authorization and may independently verify your identity where permitted by law.

5.7 Marketing

Opt out via unsubscribe links or account settings. Honored within ten (10) business days.

5.8 How to Exercise Your Rights

The following summarizes where and how to exercise each privacy right:

• In the App (self-service): View and update your profile information; view your tracked health data and history; manage health data consent and research consent; connect or disconnect third-party integrations; adjust marketing and notification preferences; export your data; and delete your account.
• By contacting us at emily@teamhac.com: Request correction of data you cannot update in-app; request a portable copy of your data in a specific format (CSV or JSON); submit an authorized agent request; file an appeal of a denied privacy request; or ask questions about your data or this Privacy Notice.
• On our website: Review the current Privacy Notice and Terms of Use.

We respond to verified requests within thirty (30) days (forty-five days for California-specific requests). If we need additional time, we will notify you.

6. Data Security

6.1 Technical Safeguards

Encryption in transit (TLS) and at rest (AES-256); secure cloud infrastructure (AWS, U.S. regions); regular security audits; intrusion detection; secure password hashing and biometric authentication support; regular patching.

6.2 Organizational Safeguards

Privacy and security training for all team members with data access; least-privilege access controls; confidentiality agreements; documented and tested incident response procedures.

6.3 Incident Response

We define a security incident requiring internal escalation and legal review as any unauthorized access to, disclosure of, acquisition of, or loss of personal information or consumer health data. This includes incidents caused by misconfiguration, unauthorized SDK data collection, or third-party vendor failures—not only traditional external attacks.

All service providers with access to user data are contractually required to notify HAC promptly and without unreasonable delay of any security incident affecting HAC user data. Specific notification timelines are established in our vendor contracts.

When an incident triggers notification obligations under applicable law—including the FTC Health Breach Notification Rule (16 CFR Part 318) and applicable state breach notification laws—we will notify affected users and regulators as required. Not every internal security incident will necessarily trigger external notification; we evaluate each incident against applicable legal thresholds.

6.4 Your Responsibility

Keep your password secure and unique. Log out on shared devices. We never ask for your password via email or text. Compromised account: contact emily@teamhac.com immediately.

6.5 Limitations

No electronic transmission or storage method is completely secure. We implement robust measures but cannot guarantee absolute security.

7. Data Retention

Retention periods for each data category are specified in the data map table in Section 1. Summary:

• Account info, health data, imported data: account life + 30 days after deletion.
• Subscription metadata (as received from Apple/Google): 7 years for tax/legal compliance.
• Support communications: 3 years from last interaction.
• Usage and analytics data: 12–24 months.
• Backup copies: rolling 90-day cycle, purged within 90 days of account deletion.
• De-identified research data: retained for as long as it remains useful for the stated research purposes. We periodically review retained research datasets and remove those that are no longer needed.
• De-identified data used for internal model improvement and QA/testing: retained under the same standard—for as long as it remains useful for the stated purpose, subject to periodic internal review.

8. Children’s Privacy

The Service is available only to individuals who are at least 18. We do not knowingly collect information from anyone under 18. If we learn we have, we will delete it promptly. Contact: emily@teamhac.com.

9. Third-Party Services and Integrations

9.1 SDK Inventory

Third-party SDKs and services are disclosed in Section 3.1. No analytics or error-monitoring SDK receives raw menstrual, hormone, or health-platform data unless expressly disclosed. No SDK provider has contractual rights inconsistent with our commitments.

9.2 Health Platform Imports

The Service supports optional connections to Apple Health (iOS) and, where available, Google Health Connect (Android) or other compatible health data sources through our integration partner (Vital SDK) or direct platform APIs:

• Connections are entirely optional.
• You control which data types the Service can access through your device’s health permissions interface.
• HAC does not use imported health platform data for advertising, marketing to third parties, or sale.
• Health platform data is processed and stored with the same encryption and security controls as all other Service data.
• Disconnecting stops future imports. Previously imported data remains unless you delete it.
• HAC requests access only to the specific health-platform data categories reasonably necessary for the features you have enabled, and only after you grant permission through your device’s health permissions interface.
• HAC’s use of Apple HealthKit data complies with Apple’s HealthKit developer guidelines. HAC’s use of Google Health Connect data complies with Google Play’s health data policies.

9.3 Hormone Testing Providers

HAC does not administer or handle hormone tests. If you connect a third-party testing provider, we receive only data you authorize. Your relationship with the provider is governed by their terms and privacy policy.

9.4 Third-Party Links

The Service may contain links to third-party websites. We are not responsible for their content or privacy practices.

9.5 Analytics and Advertising

We use analytics to understand feature usage. We do not use third-party advertising networks and do not sell information to advertisers. If advertising is introduced in the future, this notice will be updated.

10. Changes to This Privacy Notice

10.1 Non-Material Changes

For minor changes, we update the “Last Updated” date.

10.2 Material Changes

For material changes, we provide at least thirty (30) days’ notice via email and in-App notice. You may delete your account before changes take effect.

10.3 Continued Use

Continued use after changes take effect constitutes acceptance.

11. Contact Us

For privacy questions, data requests, or complaints:

We respond within five (5) business days. Complex requests: up to thirty (30) days. Security concerns: contact emily@teamhac.com immediately.

12. State-Specific Rights

12.1 California Residents

CCPA/CPRA Rights. California residents have the right to know, delete, correct, opt out of sale/sharing, limit use of sensitive information, and non-discrimination.

Sale and Sharing. We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under CPRA.

Service Provider Classification. Our analytics, error-monitoring, cloud infrastructure, and integration providers that process HAC user data do so as service providers or contractors under written contracts that prohibit them from using HAC user data for their own commercial purposes, retaining or selling HAC user data, or combining HAC user data with data from other sources for any purpose other than performing services on HAC’s behalf. Apple and Google process subscription billing data under their own platform terms. Research partners receive only de-identified data under contractual restrictions described in Section 4.

Do Not Sell or Share. HAC does not sell personal information and does not share personal information for cross-context behavioral advertising as defined under CPRA.

Global Privacy Control. We recognize Global Privacy Control (GPC) signals. When we detect a GPC signal from your browser, we treat it as a valid opt-out request under California law. Because we do not sell or share personal information for cross-context behavioral advertising, GPC recognition confirms our existing practices.

Exercising California Rights. To exercise your California privacy rights, you may use the privacy controls in your account settings, contact us at emily@teamhac.com, or call (480) 993-8186. We will verify your identity and respond within forty-five (45) days.

Categories collected: Identifiers; personal information per Cal. Civ. Code 1798.80(e); health information (classified as sensitive personal information under CPRA); internet/electronic network activity. We do not collect biometric identifiers, precise geolocation, professional, or education information.

Sensitive Personal Information. Health data collected through the Service is classified as sensitive personal information under CPRA. We use this data only to provide the Service you have requested and for purposes exempt from the right to limit under California law.

California Automatic Renewal Law. Subscription auto-renewal terms are disclosed in our Terms of Use (Section 10). Cancel through your device’s app store subscription settings.

12.2 Washington Residents

Washington My Health My Data Act (RCW 19.373). Provides Washington residents with specific rights regarding consumer health data.

• Categories of consumer health data collected: Menstrual and reproductive data; body metrics; mood, energy, and sleep data; fueling and hydration data; training data; imported hormone testing data; imported health-platform data.
• Purposes: Providing personalized hormone-informed training, recovery, and nutrition insights; cycle predictions; pattern-based algorithm operation; de-identified research (with consent); product improvement.
• Categories of third parties: Cloud infrastructure (AWS); health data integration (Vital SDK); analytics provider; error monitoring (Sentry); research partners (de-identified data only, with consent). No consumer health data is shared with advertising networks or sold.
• Affiliates: HAC does not currently have affiliates with whom consumer health data is shared.
• Consent: Separate, affirmative consent before collecting consumer health data (Terms of Use Section 4.2).
• Withdrawal: Through account settings at any time. See Section 5.4 for operational effects.
• Deletion: Through the App or by contacting us. See Section 5.3 for timelines.
• No sale: We do not sell consumer health data.
• No geofencing: We do not use geofencing technology around healthcare facilities.

12.3 Connecticut Residents

Connecticut Data Privacy Act. Rights to access, correct, delete, and port data; opt out of sale (we don’t sell), targeted advertising (we don’t engage in it), and profiling with legal effects. We obtain consent before processing sensitive data.

12.4 Colorado Residents

Colorado Privacy Act. Rights to access, correct, delete, port, and opt out of sale, targeted advertising, and profiling. Consent required for sensitive data. Appeal by contacting us.

12.5 Virginia Residents

Virginia CDPA. Rights to access, correct, delete, port, and opt out of sale, targeted advertising, and profiling. Consent for sensitive data. Appeal by contacting us; if denied, contact the VA Attorney General.

12.6 Oregon Residents

Oregon Consumer Privacy Act. Rights to access, correct, delete, port, and opt out of sale, targeted advertising, and profiling. Consent for sensitive data.

12.7 Other States

Residents of Texas, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Nebraska, Kentucky, and Rhode Island may have additional rights. Contact us to exercise them.