HeroHealth
Hero Health Logo

HeroHealth

Your Wellness Starts Here

Privacy Policy

Last updated: May 1, 2026

1. Introduction

HeroHealth Collective (“we,” “us,” or “our”) operates the HeroHealth Collective platform (the “Service”), a community wellness platform for veterans, first responders, and health-focused individuals. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and what choices you have.

By creating an account or using the Service, you agree to the collection and use of information described in this Policy.

2. Information We Collect

Account Information

When you register, we collect your email address (used to authenticate your account and send transactional communications) and a hashed password managed by our authentication provider. We never store plaintext passwords.

Profile Information

You may optionally provide your full name, display name, profile photo, biography, date of birth, gender, ZIP code, user type (e.g., veteran, first responder), activity level, fitness goals, and workout preferences. Optional fields are not required to use the Service.

Fitness and Activity Data

If you connect a Strava account, Apple Health, or Android Health Connect, we import activity type, distance, duration, start time, calorie estimates, step counts, workout/session records, and related wellness metrics that you explicitly authorize. For Strava, we store OAuth tokens in your profile to maintain the connection. For Apple Health and Health Connect, your data is read from your device only after you grant permission and is synced to your HeroHealth account only when you choose to connect or sync.

Apple Health Data (iOS)

What Apple Health data do we read?
With your explicit permission, HeroHealth may read the following data from Apple Health:
  • Step count
  • Walking and running distance
  • Cycling distance
  • Active energy burned (calories)
  • Workout sessions, including type, start/end time, duration, and totals recorded by Apple Health
Why do we read this data?
We use Apple Health data to display your activity history, support challenges, power dashboard summaries, and help you track your progress inside HeroHealth.

Is this data stored on our backend?
Yes. When you choose to sync Apple Health, we store the synced metrics and workout/session data in your HeroHealth account so the information can appear across devices and remain available after reinstalling the app.

Is this data used for advertising or shared with data brokers?
No. Apple Health data is never used for advertising, marketing profiling, or sale to data brokers. We do not use health data for any purpose other than providing and improving the health and wellness features you request.

How can you revoke access or delete this data?
  • You can revoke HeroHealth's access in the Apple Health app by opening Health → Sharing/Apps → HeroHealth and disabling permissions.
  • You can stop syncing at any time by disconnecting or no longer using the feature in HeroHealth.
  • You can delete your HeroHealth account from your account settings, which permanently removes synced Apple Health data from our servers.
Important limitation:
Revoking Apple Health permissions stops future reads from your device but does not automatically delete data already synced to your HeroHealth account. To remove previously synced data, delete your account or contact us using the information below.

Android Health Connect Data (Android 13+)

What health data do we read?
With your explicit permission, HeroHealth reads the following data from your device via Android Health Connect:
  • Step count (number of steps taken)
  • Distance traveled (walking, running, cycling)
  • Calories burned
  • Exercise sessions (type, start/end time, duration, notes)
Why do we read this data?
We use this data to display your activity history, track your progress, and provide personalized wellness insights and challenges. This helps you monitor your health and participate in community features.

Is this data stored or synced to your backend?
Yes. When you choose to sync, we store aggregated metrics (steps, distance, calories, exercise sessions) in your HeroHealth account so you can view your history across devices and restore your data if you reinstall the app. Raw data is not shared with other users.

Is this data shared with third parties?
No. Health data from Health Connect is never shared with advertisers, analytics companies, or any third parties beyond what is required to operate the Service (see provider table below). We do not sell or monetize your health data.

How can you revoke access or delete your data?
  • You can revoke HeroHealth’s access to Health Connect at any time in your device’s Health Connect app permissions screen.
  • You can delete your HeroHealth account at any time from your account settings, which will permanently erase all synced health data from our servers.
Rationale for requesting permissions:
HeroHealth requests access to your health data solely to provide you with activity tracking, progress monitoring, and wellness features. We do not access or use your health data for any other purpose.

Strava Connected Data

What data do we import from Strava?
When you connect your Strava account, HeroHealth imports the following activity data via Strava's official API:
  • Activity type (e.g., run, ride, walk)
  • Distance, duration, and start time
  • Calorie estimates
  • Heart rate data (if recorded by your device)
Why do we connect to Strava?
We use this data to display your activity history, contribute to challenge progress, and provide a unified view of your fitness alongside other data sources.

What is stored in our database?
We store your Strava OAuth access and refresh tokens in your HeroHealth account record to maintain the ongoing connection. These tokens allow us to import new activities on your behalf. Imported activity records (type, distance, duration, calories, heart rate) are also stored in your account.

Is this data shared with third parties?
No. Strava activity data is never shared with advertisers, analytics companies, or any third parties beyond what is required to operate the Service. Strava governs the data held on their platform under their own Privacy Policy.

How can you disconnect Strava or delete your data?
  • You can disconnect Strava at any time in your account settings, which immediately clears the OAuth tokens we hold.
  • Activity data already imported will remain in your account until you delete your account entirely.
  • To revoke HeroHealth's access on Strava's side, visit Strava → Settings → My Apps.

Wellness and Mental Health Data

If you use wellness tracking features, we collect daily mood, energy, stress level, sleep hours, minutes of meditation and journaling, and whether you attended a therapy session. This data is stored per-day and aggregated into weekly summaries. You may delete your account at any time to remove this data.

We treat wellness data with heightened care. It is visible only to you and is not shared with other users or third parties beyond what is necessary to operate the Service.

Social and Community Content

We collect content you create including feed posts and media, comments, emoji reactions, buddy check-in messages, and connection requests. Posts and comments may be visible to other users or the public depending on how your profile is configured.

Anonymous distress alerts: The platform includes an optional feature that allows you to notify a buddy that you are struggling without revealing your identity. When you use this feature, your identity is removed from the alert. However, thread metadata (timing, participants) is retained in our systems, and platform administrators with database access can see all data.

Contact Form Submissions

When you submit our contact form, we collect your name, email address, subject, and message. This information is stored in our database and emailed to our team.

Usage and Analytics Data

We use Vercel Analytics and Vercel Speed Insights to collect anonymous usage telemetry including page views, navigation paths, and performance metrics. This data is collected automatically when you visit any page on the Service.

3. How We Use Your Information

  • Create and manage your account and profile
  • Provide and personalize the Service, including fitness tracking, social feed, and buddy matching
  • Import and display your fitness activity data from connected services
  • Aggregate wellness data into weekly summaries for your personal dashboard
  • Facilitate check-in messages and buddy connections
  • Respond to contact form inquiries
  • Send transactional emails (e.g., password resets)
  • Analyze and improve platform performance via analytics
  • Support challenge participation and rewards

We do not sell your personal information to third parties.

4. Data Sharing and Third-Party Processors

We share your data only with the following service providers, solely to operate the Service:

ProviderPurpose
SupabaseDatabase, authentication, and storage
CloudinaryMedia file storage (photos and videos)
StravaFitness activity import via OAuth
Apple HealthHealth data access on iOS devices with user permission
Android Health ConnectHealth data access on Android 13+ devices (local read only)
ResendTransactional email delivery
VercelHosting, analytics, and performance monitoring

We do not share your data with advertisers, data brokers, or analytics companies beyond those listed above.

5. Your Rights and Choices

Account and Data Deletion

You may permanently delete your account at any time from your account settings. Deleting your account removes your profile, posts, messages, activity data, wellness data, and uploaded media. This action is irreversible.

Correction

You may update most profile information at any time through your account settings.

Strava Disconnection

You may disconnect Strava at any time through your account settings, which will clear the OAuth tokens we hold. Activity data already imported will remain in your account until you delete your account.

Data Access Requests

To request a copy of the personal data we hold about you, please contact us at the address below.

6. Data Security

We use Supabase to store your data, which provides encryption at rest and in transit. Passwords are stored as hashed credentials and are never visible to us. We use server-side sessions and bearer tokens for API authentication.

Despite our precautions, no security system is impenetrable. We cannot guarantee the absolute security of your information.

7. Children's Privacy

The Service is not directed to individuals under the age of 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us.

8. Mental Health Resources

If you are in crisis, please contact the 988 Suicide and Crisis Lifeline by calling or texting 988, or contact the Crisis Text Line by texting HOME to 741741.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

10. State Privacy Rights

Virginia Residents (CDPA)

If you are a Virginia resident, the Virginia Consumer Data Protection Act (CDPA) grants you the right to: access personal data we hold about you; correct inaccurate personal data; delete personal data you have provided or that we have collected about you; obtain a copy of your personal data in a portable format; and opt out of any sale of personal data (we do not sell personal data). To exercise any of these rights, contact us at the address below. We will respond within 45 days as required by law.

California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you the right to: know what personal information we collect, use, disclose, and sell; delete personal information we hold about you; correct inaccurate personal information; opt out of the sale or sharing of your personal information (we do not sell or share personal information); and non-discrimination for exercising your rights. To submit a verifiable consumer request, contact us at the address below. We will respond within 45 days as required by law.

In the preceding 12 months we have not sold or shared personal information with third parties for cross-context behavioral advertising.

11. Contact Us

If you have questions about this Privacy Policy or wish to submit a data access or deletion request, please contact us:

HeroHealth Collective
Email: privacy@cohortsixtechops.com