1. Introduction

This Privacy Policy describes how HealthAPI ("we," "us," or "our") collects, uses, stores, and protects your personal information and health data when you use our mobile application and API services.

By using HealthAPI, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Information We Collect

2.1 Health and Fitness Data

We collect health and fitness data that you choose to sync from Apple Health, including but not limited to:

• Activity Data: Steps, distance, flights climbed, active energy burned, exercise minutes
• Workout Data: Workout type, duration, distance, calories burned, heart rate during exercise
• Body Measurements: Weight, body mass index, body fat percentage, lean body mass
• Vital Signs: Heart rate, resting heart rate, heart rate variability, blood pressure, respiratory rate, oxygen saturation
• Sleep Data: Sleep duration, sleep stages, time in bed
• Nutrition Data: Calories consumed, macronutrients, hydration
• Mindfulness: Meditation and mindfulness minutes
• Other Health Metrics: Blood glucose, electrocardiogram data, and other health metrics available through Apple Health

2.2 Account Information

• Email address (for account creation and communication)
• Device information: Device ID, device name, operating system version
• API credentials: Unique API keys for accessing your data

2.3 Usage Data

• API request logs (endpoints accessed, timestamps, response status)
• App usage patterns and feature interactions
• Error logs and crash reports (anonymized)

3. How We Use Your Information

We use your information solely for the following purposes:

• Service Delivery: To provide API access to your health data as requested
• Data Synchronization: To sync your Apple Health data to our secure servers for API access
• Account Management: To create and maintain your account, authenticate API requests
• Service Improvement: To improve our services, fix bugs, and develop new features
• Communication: To send you service-related notifications, updates, and security alerts
• Security: To detect and prevent fraud, abuse, and security incidents

4. Data Storage and Security

4.1 Storage Location

Your health data is stored on secure servers located in compliance with applicable data protection regulations. Data is encrypted both in transit (using TLS/SSL) and at rest (using AES-256 encryption).

4.2 Security Measures

• Encryption: All data transmitted between your device and our servers is encrypted using industry-standard HTTPS/TLS protocols
• Authentication: API key-based authentication with secure key generation and storage
• Access Controls: Strict access controls and monitoring of our infrastructure
• Regular Security Audits: Ongoing security assessments and vulnerability testing
• Data Isolation: Each user's data is logically isolated and protected
• Secure Infrastructure: Firewall protection, intrusion detection, and automated security updates

4.3 Data Retention

We retain your health data for as long as your account is active or as needed to provide you services. You can request deletion of your data at any time through the app or API.

5. Data Sharing and Disclosure

5.1 Third-Party Services

We do not share your health data with third parties except in the following limited circumstances:

• Service Providers: Trusted infrastructure providers (e.g., cloud hosting) who are contractually obligated to protect your data and use it only for providing services to us
• Legal Compliance: When required by law, court order, or government regulation
• Protection of Rights: To protect the rights, property, or safety of HealthAPI, our users, or the public

5.2 API Access

Your health data is accessible only through your personal API key. You are responsible for keeping your API key secure and for any access granted using your credentials.

6. Your Rights and Choices

6.1 Access and Control

You have the following rights regarding your data:

• Access: View all your stored health data through our API or app
• Export: Download a complete copy of your data in JSON format via the GDPR export endpoint
• Correction: Update or correct your account information
• Deletion: Request permanent deletion of your account and all associated data
• Restriction: Choose which types of health data to sync
• Portability: Export your data in a machine-readable format

6.2 Exercising Your Rights

To exercise any of these rights, you can:

• Use the in-app settings and controls
• Use the GDPR endpoints in our API (/api/v1/gdpr/export, /api/v1/gdpr/account)
• Contact us at privacy@healthapi.app

7. HIPAA Compliance

While HealthAPI handles personal health information, we are not a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA) as we do not conduct healthcare transactions or interact with healthcare providers on your behalf.

However, we implement security and privacy safeguards that meet or exceed HIPAA standards, including:

• Administrative, physical, and technical safeguards
• Encryption of data in transit and at rest
• Access controls and audit logs
• Breach notification procedures

8. Children's Privacy

HealthAPI is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@healthapi.app.

9. Cookies and Tracking

Our website uses minimal cookies necessary for basic functionality. We do not use tracking cookies or third-party analytics on our landing page. Our API does not use cookies but relies on API key authentication.

10. International Data Transfers

If you are accessing HealthAPI from outside the United States, please be aware that your data may be transferred to, stored, and processed in the United States or other countries where our service providers operate. We ensure that all such transfers comply with applicable data protection laws.

11. Data Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

• Notify affected users within 72 hours of discovering the breach
• Provide details about the breach and steps being taken
• Offer guidance on protecting your information
• Comply with all applicable breach notification laws

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending an email notification to your registered email address
• Displaying an in-app notification

Your continued use of HealthAPI after such changes constitutes acceptance of the updated policy.

13. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request details about the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information (subject to certain exceptions)
• Right to Opt-Out: Opt out of the sale of personal information (Note: We do not sell personal information)
• Right to Non-Discrimination: Exercise your privacy rights without discriminatory treatment

To exercise these rights, contact us at privacy@healthapi.app.

14. European Union Users (GDPR)

If you are located in the European Union, you have rights under the General Data Protection Regulation (GDPR), including:

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making

Our legal basis for processing your data is your explicit consent when you create an account and choose to sync your health data.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@healthapi.app
• Support: support@healthapi.app

We will respond to all legitimate requests within 30 days.