Privacy Policy

Introduction

We respect your privacy and are committed to protecting your personal data. With this Privacy Policy (“Policy”), we explain how xStudios Bilişim Teknolojileri Reklamcılık Anonim Şirketi (“xStudios”) collects and processes your information and personal data, the protection and privacy, and data security measures implemented, including your rights.

This Policy is applicable on Heartbeat's app, website and social media platforms owned by Heartbeat (collectively “Heartbeat / Services / App”).

Your access and use of Heartbeat is governed by this Privacy Policy and Terms of Use (“Terms”). The Terms apply to the definitions within this Policy and the provisions not included in this Policy. We recommend you to review the Terms of Use to be informed about the definitions, functions and features of Heartbeat.

By accessing or using Heartbeat, you agree to the collection and use of information and personal data in accordance with this Policy, and that you have reviewed and understood the processing of your information and personal data, including your rights. If you do not agree with the Terms or Privacy Policy, please do not use the Website, and/or the Services offered by Heartbeat.

Collection of Information and Processing Purposes

We may collect the following information and personal data when you access Heartbeat, or otherwise utilize (“use”) the Website, and/or the Services:

Personal Information and Contact Information

Name, Date of birth, Google Account or Apple ID (whichever you preferred to download the app), Gender, E-mail address (if you contact us)

This information is used to create personalized measurements, communicate with you through or about Heartbeat, communicate with you about updates or your requests. This information is collected due to the performance of contract and services.

Technical Data

IP address, logs, device type and name, operating system, type and date of subscription.

These data are processed for the purpose of ensuring the functionality of the app, crash and error detection, conducting technical analysis, carrying out the activity in accordance with the legislation and technical data security. This information is collected due to legal requirements and legitimate interests.

Customer Transaction

Subscription type and plan, billing cycle.

This data is processed for the purpose of determining the customer's subscription plan, providing and improving the services and membership plans. No credit card information is collected by us. This information is collected due to the performance of contract and legal obligations for billing.

Health Information

Pulse rate, pulse statistics, score, tension, energy-stress levels

This information is processed to measure and display heart rate and pulse statistics as a core function of our service. This information is collected due to the performance of contract and services.

The Information Disclosed by Users

Within the scope of the data minimization principle adopted in accordance with the GDPR, Heartbeat takes care not to process any data other than the above and is unnecessary for the application. Data that is not included in the app but shared through contact or other means is deemed to be disclosed by users. These are also protected within the scope of relevant legislation and adequate data protection measures.

Marketing Data

To conduct marketing analysis and run promotional campaigns, we may collect IDFA and IDFV upon your explicit consent acquired through Apple and/or Google. Please note that you can always withdraw your consent.

Age Restriction: Heartbeat has an age restriction as it is not intended for Users under the age of 16. If you are under 16 years of age, please do not use or access the App and Website at any time or in any manner. By using the App, you affirm that you are over the age of 16.

Parent/Guardian Use: Parents and guardians are strongly encouraged to notify Heartbeat if their children under the age of 16 are using the app. Please note that Heartbeat does not collect information from children under this age.

Push Notifications and Access: Heartbeat can send push notifications to notify you about the app and the service. You can always edit such notifications through the settings of your device. Also, if camera access is required for measurements, we ask for a separate approval for camera access, which you can also deactivate any time from your device.

Sharing of Information

Your personal data will not be sold, traded, or otherwise transferred to third parties for commercial purposes. Your data may be transferred for the reasons explained below:

Mobile App Stores: We use Google Play Store and Apple App Store services for you to download, log-in and update the app. These transfers are carried out in accordance with applicable data protection laws. We ensure appropriate safeguards are in place, including contractual agreements and technical measures.
Service Providers: We may share your personal information with our third-party service providers provide us with IT support and hosting services, and also, marketing and analytics tools. These providers are Facebook SDK, Appsfyler, Adapty, Firebase. This type of sharing is made only to trusted partners under data processing agreements or standard contractual clauses, and always with appropriate measures to ensure the protection of your data in compliance with applicable data protection laws.
Legal, Tax and Financial Consultants: We may share your data with legal, tax and/or financial consultants for professional advice related to our operations, conducted in compliance with GDPR and limited to what is necessary.
Public Authorities: We may disclose your personal data to legally authorized public institutions and government authorities in compliance with applicable laws, regulations, or decisions, including explicit regulations and administrative or judicial decisions mandating disclosure.

Anonymized Data: We may use anonymized data for analytical purposes. Anonymized data is processed in such a way that it can no longer be attributed to a specific individual, ensuring your privacy is maintained. Please review the Data Destruction and Anonymization heading for the process.

Storage of Information

We are committed to ensuring that your personal data is stored securely and in compliance with applicable laws and regulations.

Retention Period: We will only retain your personal data for as long as necessary to fulfill the purposes for which it was collected, and in accordance with the legal storage periods established by relevant regulations. Once the retention period has expired, we will take appropriate measures to securely dispose of or anonymize your data.

Access Control: Access to your personal data is restricted to authorized personnel who require this information to perform their job responsibilities. We implement strict access controls and security measures to safeguard your data from unauthorized access, use, or disclosure.

Data Destruction and Anonymization: When personal data is no longer necessary or the retention period has expired, we will either securely delete or destroy the data to prevent unauthorized access or retrieval, or we will anonymize the data. Anonymization involves processing the data in such a way that it can no longer be attributed to you, ensuring that it can be used for analytical or research purposes without compromising your privacy. Once data is anonymized, it is irreversibly altered and cannot be traced back to any individual.

Security Measures

We take the security of your personal data very seriously and implement measures to ensure protection as of the General Data Protection Regulation (GDPR). Our key principles include:

Safety Measures: Personal data is processed within the company only by authorized personnel, in a way that is not publicly accessible, and verification or additional confidentiality declarations required in processing special data categories if available.
Access Controls: Access to personal data is restricted to authorized personnel only, ensuring that only those who need to access your information can do so.
Regular Security Audits: We conduct regular audits and assessments of our security practices to identify and address potential vulnerabilities.
Data Minimization: We only collect and retain personal data that is necessary for the purposes specified.
Incident Response Plan: We have established an incident response plan to quickly address any potential data breaches or security incidents.

While we strive to maintain a secure digital environment, yet no digital environment can be fully secure, we encourage users to take their own precautions when accessing and using the app, including utilizing relevant antivirus software, implementing a secure firewall, accessing the app over a safe Wi-Fi connection, and ensuring that the device used to access the app is secure and up to date.

In the event of any potential data breach or security incident, users are encouraged to inform xStudios immediately. We will analyze the situation to determine if there is a security problem and take necessary measures to mitigate any risks. Your security and privacy are our top priorities, and we are committed to maintaining adequate standards of data protection as required by relevant legislation.

Corporate Affiliates and Sale of Business

We reserve the right to transfer information to a third party in the event of a sale, merger or other transfer of all or substantially all of the assets of Heartbeat or any of its Corporate Affiliates. Please note that Corporate Affiliate means any person or entity which directly or indirectly controls, is controlled by or is under common control with Heartbeat, whether by ownership or otherwise. Any information relating to you that we provide to our Corporate Affiliates will be treated by those Corporate Affiliates in accordance with the terms of this Privacy Policy.

Rights Under GDPR

The General Data Protection Regulation No. 2016/679 (GDPR) establishes a comprehensive framework for the protection of personal data within the European Union and the European Economic Area. Under GDPR, users have the following rights regarding their personal data as data subjects:

Right to Access: Obtain confirmation and access to personal data being processed.
Right to Rectification
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of personal data under certain conditions.
Right to Restrict Processing: Request limitation of data processing in specific situations.
Right to Data Portability: Receive personal data in a machine-readable format and transfer it to another controller.
Right to Object: Object to the processing of personal data, especially for direct marketing.
Rights Related to Automated Decision-Making: Not to be subject to decisions based solely on automated processing, unless certain conditions apply.

To exercise these rights or ask any questions, please contact support and include the details regarding the right you would like to use and accurate contact details.

California Residents

The California Consumer Privacy Act (CCPA) requires us to disclose categories of Personal Information we collect and how we use it, the categories of sources from whom we collect Personal Information, and the third parties with whom we share it, which we have explained above.

We are also required to communicate information about rights California residents have under California law. You may exercise the following rights:

Right to Know and Access. You may submit a verifiable request for information regarding the: (1) categories of Personal Information we collect, use, or share; (2) purposes for which categories of Personal Information are collected or used by us; (3) categories of sources from which we collect Personal Information; and (4) specific pieces of Personal Information we have collected about you.

Right to Equal Service. We will not discriminate against you if you exercise your privacy rights.

Right to Delete. You may submit a verifiable request to close your account and we will delete Personal Information about you that we have collected.

Request that a business that sells a consumer's personal data, not sell the consumer's personal data. If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us. Please note that we do not sell the personal information of our users. For more information about these rights, please contact us.

To exercise these rights, users must send an email or petition clearly stating the right they wish to enforce, along with their name and accurate contact details. A response will be provided within the legal time period.

Updates to Privacy Policy

We reserve the right to update this privacy policy at any time to reflect changes in our practices, legal obligations, or operational needs. Users are encouraged to review this policy regularly to stay informed about how we protect their personal data and to understand their rights and responsibilities. The revision date is stated in the introduction of the policy. Any updates will take effect immediately upon posting. If users do not agree with the amendments, they should discontinue using the app. Continued use of the app after such updates constitutes acceptance of the revised policy.

Contact

This privacy policy constitutes the entire understanding between you and us regarding the collection, use, and protection of your personal data. If you have any questions or concerns regarding this policy or our data practices,
please contact us via [email protected]

xStudios Bilişim Teknolojileri Reklamcılık Anonim Şirketi
İnciraltı Mah. Mithatpaşa Cad. Morfoloji No: 56-20 Balçova / İzmir
[email protected]