Privacy Policy

Effective date: 2026-05-10 | Developer: EXSports Oy | Contact: info@exsports.fi

This Privacy Policy applies to the Heda mobile application developed by EXSports Oy (hereinafter "Service Provider" or "we") and describes how we collect, use, and protect your information. Heda is a versatile migraine diary that integrates with Google Health Connect to allow you to log and track migraine episodes, symptoms, and related health data.

Summary: Your migraine diary data is stored locally on your device. With your explicit consent we may read health data from Google Health Connect. With your explicit consent we collect anonymous crash reports to fix bugs. We do not collect usage analytics. We do not sell your data. You have full control over your data under GDPR.

1. Information We Collect

1.1 Migraine Diary Data (Health Data)

Heda is a diary application. The migraine entries, symptom records, pain levels, triggers, medications, and other diary content you create are stored locally on your device. This data is not transmitted to EXSports Oy's servers.

If you choose to use the Google Health Connect integration, selected health data (such as sleep sessions and stages, heart rate, heart rate variability, step counts, and exercise sessions) may be read from Health Connect in accordance with your permissions. Heda only reads data from Health Connect — it never writes data to it. This data exchange takes place on your device between Heda and the Health Connect platform. EXSports Oy does not receive or store this data on external servers.

⚠️ Health Data Notice: Migraine diary entries and health metrics are considered sensitive personal data under GDPR. This data is processed locally on your device. We strongly recommend enabling device screen lock and device encryption to protect your diary data.

1.2 Information You Provide

The application requires sign-in with a Google account via Android's Credential Manager. Your Google account email address is used solely to authenticate your identity and to link any premium entitlement purchases to your account. We do not collect your name or any other profile information beyond the email address provided by Google Sign-In.

Your Google account email address is processed by Supabase (our authentication and backend provider) to manage your login session and to verify premium subscription entitlements via Google Play. See Section 5 for details on Supabase as a third-party service.

Support inquiries: If you contact us for support via email (info@exsports.fi), we may retain your name and email address solely for the purpose of responding to your inquiry. This data is stored securely and deleted once the support matter is resolved, unless you request otherwise.

1.3 Information Collected Automatically

With your explicit consent (requested upon first app launch), the application may collect crash reports automatically. No usage analytics are collected.

Crash reports: Technical diagnostic data including device type, operating system version, stack trace, and error logs at the time of a crash. This data is processed by GlitchTip, an error monitoring service used to identify and fix bugs.

Important Note: Crash reports do NOT include any diary entries, migraine data, health records, symptom information, or any personal health data you enter into the app.

You can withdraw your consent at any time in the app's settings menu under Settings → Privacy & Data.

1.4 Google Health Connect

Heda may integrate with Google Health Connect to read health data (such as sleep sessions and stages, heart rate, heart rate variability, step counts, and exercise sessions) from your device. Heda never writes data back to Health Connect. This integration requires your explicit permission through the Android Health Connect permissions dialog. You can grant or revoke these permissions at any time in your device's Health Connect settings.

Data exchanged via Health Connect remains on your device and is governed by Google's Privacy Policy and the Health Connect terms of service. EXSports Oy does not receive or process Health Connect data on external servers.

2. How We Use Your Information

Information collected is used solely for the following purposes:

Data Type	Purpose	Legal Basis (GDPR)
Diary & health data	Stored locally; used only within the app on your device	Contract performance (Article 6(1)(b))
Google account email address	Authentication via Google Sign-In; linking premium entitlement purchases	Contract performance (Article 6(1)(b))
Crash reports (GlitchTip)	To identify and fix technical errors	Consent (Article 6(1)(a))
Support inquiry data	To respond to your support requests	Legitimate interest (Article 6(1)(f))

We explicitly do NOT:

Use your data for advertising or marketing
Create user profiles or perform behavioural tracking
Share your data with advertisers or data brokers
Transmit your diary entries or health data to our servers
Use your health data for any purpose other than providing the in-app functionality you requested

3. Location Information

The application does not collect precise or approximate location information from your device. No GPS, Wi-Fi-based, or network-based location data is accessed or stored.

4. Artificial Intelligence

The application does not use Artificial Intelligence (AI) or Machine Learning (ML) technologies to process your personal data or make automated decisions affecting you.

5. Third-Party Services

The application uses the following third-party services. Each has its own privacy policy governing their data practices:

Google Play Services / Google Play Billing – App distribution and processing of in-app purchases (premium unlock). Google Play Billing handles all payment transactions; EXSports Oy does not receive or store your payment card details.
Supabase – Authentication backend (stores your Google account email for session management) and premium entitlement verification. Supabase is hosted in the EU. See Supabase's Privacy Policy.
Google Health Connect – On-device health data integration (read-only, with your permission)
GlitchTip – Crash reporting and diagnostics (consent required). GlitchTip receives anonymous technical crash data only; no health or diary data is ever included.

The Service Provider does not sell personal data to third parties. Data may be shared with the above service providers solely to operate and improve the application, and only to the extent necessary.

5.1 Data Transfers Outside the EU/EEA

Supabase stores authentication data (your Google account email) on infrastructure located in the EU. For details, see Supabase's Privacy Policy.

Crash report data processed by GlitchTip may be stored outside the EU/EEA depending on the service configuration. Crash reports contain no personal health data. For details, see GlitchTip's Privacy Policy.

5.2 Legal Disclosure

The Service Provider may disclose information if required by law, such as in response to a valid court order, to comply with legal processes, or to protect the rights, property, or safety of EXSports Oy, our users, or the public.

6. Data Retention

Data Type	Retention Period
Diary & health data (local)	Stored locally on device; deleted when app is uninstalled, when you use "Delete local data" in Settings → Privacy & Data, or when you clear app data
Google account email (Supabase)	Retained for as long as you have an active account; deleted upon account deletion (via Settings → Privacy & Data → Delete account) or by contacting us
Crash reports (GlitchTip)	Up to 90 days, then deleted
Support inquiry emails	Until the issue is resolved + 6 months, unless deletion is requested

To request deletion of your data, contact us at info@exsports.fi. We will respond within 30 days (as required by GDPR Article 12).

7. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

Right of access – you can request a copy of the personal data we hold about you
Right to rectification – you can request correction of inaccurate data
Right to erasure – you can request deletion of your personal data ("right to be forgotten")
Right to data portability – you can request your data in a machine-readable format
Right to object – you can object to data processing for analytics purposes at any time
Right to withdraw consent – you can withdraw consent for crash reporting at any time in the app settings

To exercise any of these rights, contact us at info@exsports.fi.

8. Consent

Upon first launch, the application will ask for your consent before enabling crash reporting (via GlitchTip). You may decline without affecting the core diary functionality of the application. No usage analytics are collected. Health Connect permissions are requested separately and you can manage them at any time in Android settings.

Continued use of the application after any updates to this Privacy Policy constitutes your acceptance of those changes.

9. Intended Audience

Heda is intended for users aged 18 and older. The application is not directed at minors. The Service Provider does not knowingly collect personal information from minors. If you believe a minor has accessed the application, please contact us at info@exsports.fi.

10. Security

The Service Provider implements physical, electronic, and procedural safeguards to protect your information. Specifically:

Database encryption: All diary data is stored in a SQLCipher-encrypted database using AES-256, so the data is unreadable without the correct key even if the device storage is accessed directly.
Key management: The database encryption key is managed by the Android Keystore system and further protected with Google Tink (AES-256-GCM), so keys are hardware-backed where supported by the device.
Biometric lock: The app supports an optional biometric lock (fingerprint, face recognition, or device PIN) that restricts access to the app without affecting diary data.
App sandboxing: Diary data benefits from Android's standard app sandboxing; other apps on the device cannot access Heda's data.
Authentication security: Sign-in is handled via Google's Credential Manager — we never see or store your Google account password.

Access to any collected crash data is restricted to authorised personnel only. We recommend enabling device screen lock and biometric lock within the app to further protect your health diary data.

11. Opt-Out and Account Deletion

You can stop all data collection by uninstalling the application. You can also:

Disable crash reporting (GlitchTip) at any time under Settings → Privacy & Data
Delete all locally stored diary data under Settings → Privacy & Data → Delete local data
Delete your account (including authentication data stored by Supabase) under Settings → Privacy & Data → Delete account. Account deletion is a two-step confirmation process and is permanent.
Revoke Health Connect permissions in Android's Health Connect settings at any time, without uninstalling the app

12. Changes to This Privacy Policy

This Privacy Policy may be updated from time to time. We will notify you of any material changes by updating the effective date at the top of this page and, where appropriate, notifying you within the application.

13. Relationship to Disclaimer

By using this application, you also agree to the Disclaimer & Terms of Use. The Privacy Policy and Disclaimer together constitute the full agreement between you and EXSports Oy regarding the use of this application.