HeartCoreRequest access
Privacy

Privacy Policy.

Last updated: May 15, 2026
Status: Pilot — first draft, not yet reviewed by legal counsel. Subject to change before public release.

1. The short version

HeartCore is a wearable system that helps you maintain access to your best judgment during consequential moments. To do that, it reads physiological signals from your Apple Watch and asks you for brief context about events in your day. We treat that information as yours, store it on your device, and don't share it with anyone — including ourselves — except where you explicitly direct us to.

We will not sell your data. We will not advertise against your data. We will not use your HealthKit data for any purpose other than operating HeartCore for you.

2. Who runs HeartCore

HeartCore is operated by an independent founder during the pilot phase. The contact for any privacy question is heartcore@zwirs.co. A company entity will be named here before HeartCore is released outside the pilot.

3. What HeartCore collects

3.1 Biometric data via Apple HealthKit

With your explicit permission via the iOS HealthKit authorization dialog, HeartCore reads:

  • Heart rate
  • Heart rate variability (HRV, SDNN)
  • Resting heart rate (when available)
  • Recent sleep and recovery data (when available)
  • Respiratory-related signals (only if available and authorized)
  • Motion via CoreMotion (accelerometer, gyroscope summaries)

HeartCore does not request, read, or store any HealthKit category beyond what is necessary to operate. You can revoke any of these permissions at any time in iOS Settings → Privacy & Security → Health → HeartCore.

3.2 Information you enter

  • Setup answers (wearable usage, role, pressure profile, tendencies)
  • Mode selections (Background, Prep, Live Decision, Recovery)
  • Optional pre-event context (perceived stakes, reversibility, intention)
  • Post-event reflections (outcome, state, recovery ratings)
  • Optional notes you choose to attach to a session

3.3 Technical information

  • A locally-generated device identifier (a UUID created on your device). It is not an advertising ID and is not transmitted to any server during the pilot.
  • Crash logs that you may choose to share with us via the iOS standard "Share with App Developers" flow. These are redacted of personal identifiers by iOS before transmission.

3.4 What HeartCore does not collect

  • Raw audio recordings. Voice features are out of scope for the pilot. When voice features are reintroduced in a later version, they will be opt-in, on-device, and feature-level (no raw audio leaves the device).
  • Location of any kind.
  • Your contacts, photos, or other apps' data.
  • Apple's Advertising Identifier (IDFA).
  • Tracking pixels, third-party analytics SDKs, or behavioral profiles.

4. Where your data lives

During the pilot, all biometric and reflection data is stored locally on your devicevia Apple's SwiftData framework. It is not transmitted to a HeartCore server, because for the pilot, there is no HeartCore server holding your data.

If you sign in using a magic-link email or Google account (powered by Supabase Auth), the third-party authentication provider stores your email and an opaque user identifier so we can recognize your device across reinstalls. Your biometric data is never sent to that provider.

If a future version of HeartCore adds optional cloud sync, it will be opt-in, clearly indicated, and described here before it is enabled.

5. How long we keep your data

Data is retained on your device until you delete the app or use the in-app "Delete my data" control. Authentication records held by Supabase Auth are deleted on request via heartcore@zwirs.co and automatically purged within 30 days of pilot exit.

6. Sharing

We do not share, sell, rent, license, trade, or otherwise transfer your HealthKit data, reflection data, or any personal data to any third party.

If you choose to export a summary to share with a coach, physician, or other recipient, that export is initiated by you, shown to you in full before sending, and travels via the standard iOS share sheet — HeartCore does not intermediate or copy the transmission.

7. HealthKit-specific commitments

Apple's App Store requirements impose specific rules on the use of HealthKit data. HeartCore confirms:

  • HeartCore will never use HealthKit data for advertising, marketing, or similar services.
  • HeartCore will never share HealthKit data with any third party for advertising, marketing, or data-broker purposes.
  • HeartCore will not disclose HealthKit data to any third party without your explicit, per-recipient consent, and only for the purpose of providing HeartCore service.
  • HealthKit data is stored separately from any non-HealthKit data and is never combined with non-HealthKit data for analytics.
  • HealthKit data is never stored in iCloud Keychain or any non-HealthKit data store.

8. Your rights

You can, at any time and without justification:

  • View what HeartCore has stored about you (Settings → Data).
  • Export all your data as a downloadable file (Settings → Export).
  • Delete all your data (Settings → Delete my data).
  • Revoke HealthKit permissions in iOS Settings.
  • Withdraw from the pilot, in which case all server-side authentication records are purged within 30 days.

If you are in the European Union, the United Kingdom, California, or any other jurisdiction that grants you statutory data rights (access, rectification, erasure, portability, restriction, objection, withdrawal of consent), those rights apply to your HeartCore data and can be exercised by writing to heartcore@zwirs.co. We respond within 30 days.

9. Children

HeartCore is not designed for, marketed to, or intended for individuals under 18. We do not knowingly collect data from anyone under 18.

10. Security

Data on your device is protected by iOS' native sandboxing and (when you enable a passcode, Touch ID, or Face ID) full-device encryption. Authentication tokens are stored in the iOS Keychain. We do not store any HeartCore credential in plaintext.

11. Changes

We will post any material change to this policy here, update the "Last updated" date, and — for active pilot participants — notify you by email at least seven days before the change takes effect. If you don't want the new policy to apply, you can export and delete your data at any time before that date.

12. Contact

Questions, concerns, requests, or anything else: heartcore@zwirs.co. A human reads every message.

This policy is a first draft authored by HeartCore for the pilot phase. It has not yet been reviewed by external legal counsel. Before HeartCore is released outside the pilot, this policy will be reviewed by counsel familiar with HealthKit obligations and applicable regional law. If you spot something that looks wrong or could be clearer, please tell us at heartcore@zwirs.co.