hearttap-privacy

Privacy Policy for HeartTap

Last Updated: October 12, 2025

---

Introduction

Welcome to HeartTap! This Privacy Policy explains how we collect, use, protect, and handle your personal information when you use the HeartTap mobile application.

HeartTap is a personal messaging app designed exclusively for couples to stay connected through instant love notifications. We take your privacy seriously and are committed to protecting your personal information.

By using HeartTap, you agree to the collection and use of information in accordance with this policy.

---

Information We Collect

Account Information

When you create a HeartTap account, we collect:

• Email Address: Used for account authentication and password recovery
• Username: A unique identifier you choose for connecting with your partner
• Password: Encrypted and stored securely by Firebase Authentication (we never see your plain-text password)

Profile Data

To provide HeartTap’s core functionality, we store:

• Partner Connection: The user ID of your connected partner (if you have one)
• Tap Statistics: The total number of love taps you’ve sent and received
• Account Creation Date: When you first created your account

Device Information

To enable push notifications:

• Push Notification Token (FCM Token): A unique device identifier required to send you notifications when your partner sends you love
• Token Update Timestamp: When your notification token was last updated

Message Content

When you use HeartTap to communicate:

• Tap Messages: The text content of love taps you send and receive
• Sender and Receiver Information: Who sent the message and who received it
• Timestamps: When messages were sent
• Read Status: Whether a message has been viewed

---

Information We Do NOT Collect

HeartTap is designed with privacy in mind. We do not collect:

• ❌ Your location data
• ❌ Your contacts list
• ❌ Your photos or camera access
• ❌ Usage analytics or behavioral tracking
• ❌ Advertising identifiers
• ❌ Device information beyond the push notification token
• ❌ Any data from other apps on your device

Note: Firebase Analytics is explicitly disabled in HeartTap. We do not track your usage patterns or behavior within the app.

---

How We Use Your Information

We use your information exclusively to provide HeartTap’s core functionality:

1. Account Management

• Authenticating your identity when you log in
• Allowing password recovery via email
• Preventing duplicate usernames

2. Partner Connection

• Enabling you to search for and connect with your partner by username
• Maintaining your exclusive 1-to-1 partner relationship
• Showing your partner’s information in your profile

3. Message Delivery

• Storing and delivering love tap messages between you and your partner
• Maintaining a history of your shared moments
• Tracking which messages have been read

4. Push Notifications

• Sending you instant notifications when your partner sends you love
• Updating your app badge count
• Delivering notification content to your device

5. App Functionality

• Tracking tap statistics to show in your profile
• Updating home screen widgets with recent activity
• Providing a timeline of your love history

We do NOT:

• ❌ Sell your data to third parties
• ❌ Use your data for advertising
• ❌ Share your information with anyone except as described in this policy
• ❌ Analyze your messages for any purpose other than delivery

---

Data Storage and Security

Where Your Data Is Stored

All HeartTap data is stored using Google Firebase services, which are hosted on secure Google Cloud infrastructure. Specifically:

• Firebase Authentication: Manages your account and password
• Cloud Firestore: Stores your profile, messages, and app data
• Firebase Cloud Messaging: Handles push notifications
• Firebase Cloud Functions: Processes backend logic (e.g., sending notifications, account deletion)

Security Measures

We implement industry-standard security practices:

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS/SSL
• Encryption at Rest: Firebase encrypts all stored data at rest
• Password Security: Passwords are hashed using Firebase’s secure authentication system
• Access Control: Strict Firestore security rules ensure users can only access their own data and their partner’s data
• Server-Side Validation: All critical operations are validated server-side using Cloud Functions

Firebase Security Rules

HeartTap uses production-ready Firestore security rules that enforce:

• Users can only read their own data or their partner’s data
• Users can only create messages as themselves (no impersonation)
• Only message receivers can mark messages as read
• No client can delete data directly
• Username searches are rate-limited to prevent abuse

---

Third-Party Services

HeartTap uses the following third-party services to function:

Google Firebase (Google LLC)

Firebase provides our backend infrastructure, including:

• User authentication
• Database storage
• Push notifications
• Cloud functions for backend logic

Firebase Privacy Policy: https://firebase.google.com/support/privacy
Google Privacy Policy: https://policies.google.com/privacy

Important: While Firebase is operated by Google, we have disabled all Google Analytics and tracking in HeartTap. Google only processes data necessary to provide the core Firebase services (authentication, database, messaging).

---

Data Retention

Active Accounts

We retain your data for as long as your account is active and you continue to use HeartTap. This includes:

• Your account information
• Partner connection
• All message history
• Tap statistics

Account Deletion

When you delete your account, we permanently delete all of your data:

What Gets Deleted Immediately:

• Your user account and profile
• Your Firebase Authentication account
• Your partner connection (removed from both sides)
• All tap messages you sent or received
• Your tap statistics
• Your push notification token
• Your username (freed up for others to use)

How to Delete Your Account:

1. Open HeartTap
2. Go to your Profile
3. Tap “Delete Account”
4. Confirm the deletion

Important: Account deletion is permanent and irreversible. All your data will be deleted immediately and cannot be recovered. We recommend downloading any messages or memories you want to keep before deleting your account.

Partner Removal

If you remove your partner connection (without deleting your account):

• Your partner connection is cleared
• Your tap statistics are preserved (lifetime counts remain)
• Your message history is cleared
• Your partner’s connection to you is also removed

---

Your Rights and Choices

Access Your Data

You can view your data at any time within the HeartTap app:

• Profile page: View your email, username, partner, and tap statistics
• Love History page: View all messages between you and your partner

Delete Your Data

You have the right to delete all your data at any time by deleting your account through the app (Profile → Delete Account).

Update Your Information

You can update certain information:

• Partner Connection: Add or remove your partner through the app
• Push Notification Token: Automatically updated when you use the app

Currently, you cannot change your email or username after account creation. If you need to change these, you must delete your account and create a new one.

Control Notifications

You can control whether HeartTap sends you push notifications through your device’s iOS Settings (Settings → Notifications → HeartTap).

---

Children’s Privacy (COPPA Compliance)

HeartTap is intended for users who are 13 years of age or older. We do not knowingly collect personal information from children under 13.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us immediately at the email below, and we will delete that information from our systems.

If you are under 13 years old, do not use HeartTap or provide any personal information.

---

International Data Transfers

HeartTap is operated from the United States, and your data is stored on Firebase/Google Cloud servers, which may be located in various countries.

By using HeartTap, you consent to the transfer of your information to countries outside your country of residence, including the United States, which may have different data protection rules than your country.

Firebase complies with applicable data protection laws and provides appropriate safeguards for international data transfers.

---

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons.

How We’ll Notify You:

• The “Last Updated” date at the top of this policy will be revised
• For significant changes, we may notify you via email or in-app notification
• Continued use of HeartTap after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

---

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email: clark@hearttap.info Response Time: We aim to respond to all inquiries within 7 business days.

Data Requests

For the following requests, please email us:

• Account deletion support (if you have trouble deleting through the app)
• Questions about your data
• Privacy concerns
• Reporting security issues

---

Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), our legal basis for collecting and using your information depends on the specific data and context:

• Contract Performance: We process your account and message data to provide the HeartTap service you’ve requested
• Legitimate Interest: We use push notification tokens to send you relevant notifications about your partner’s activity
• Consent: By using HeartTap, you consent to our data practices as described in this policy

You have the right to withdraw consent at any time by deleting your account.

---

California Privacy Rights (CCPA)

If you are a California resident, you have the following rights:

• Right to Know: You can request information about the personal data we collect, use, and share
• Right to Delete: You can request deletion of your personal data (use the in-app account deletion feature)
• Right to Opt-Out: We do not sell your personal information to third parties
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at the email address above.

---

Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

1. Investigate the breach immediately
2. Take steps to prevent further unauthorized access
3. Notify affected users via email within 72 hours
4. Provide guidance on steps you can take to protect yourself

---

Summary

In Plain English:

HeartTap is a simple, privacy-focused app for couples. We only collect what we need to make the app work (your email, username, messages, and notification token). We store everything securely with Firebase/Google. We don’t track you, sell your data, or show you ads. You can delete your entire account anytime - it’s instant and permanent.

We’re a personal project built for real people, and we respect your privacy as much as we respect our own.

---

Thank you for trusting HeartTap to keep you connected with your loved one! ❤️

---

This Privacy Policy is effective as of October 12, 2025 and applies to all users of the HeartTap mobile application.