Privacy Policy

1. Information We Collect

1.1 Session Data

The App collects the following session-related information:

• Session type (sauna, cold, contrast)
• Duration, temperature, and bench level
• Calculated sweat loss and hydration estimates
• Session timestamps and notes
• Protocol tracking and compliance

1.2 Body Metrics

To calculate sweat loss estimates, the App collects:

• Weight
• Sex
• Height (optional)

This data is stored locally on your device and used only for calculations.

1.3 Heart Rate & Biometric Data

If you connect a Bluetooth Low Energy (BLE) heart rate monitor, the App collects:

• Real-time heart rate samples during sessions (BPM at ~1-second intervals)
• Heart rate zone distribution and session averages
• Derived analytics: estimated calorie burn, cold shock metrics, thermal load scores, and acclimatization trends

Heart rate data is stored locally on your device. We do not transmit raw heart rate samples to any server. BLE connections are established directly between your device and your heart rate monitor — we do not act as an intermediary.

1.4 Apple Health Data (iOS)

With your explicit permission, the App may read from and write to Apple Health:

• Workout sessions and active energy burned (when HR-based calorie estimates are available)
• Dietary water entries for bidirectional hydration sync

Apple Health sync is optional and requires your explicit consent through Apple's permission dialogs. Data exchanged with Apple Health stays on your device — it is not uploaded to our servers. You can revoke access at any time in App settings or your device's Health settings.

1.5 Hydration Data

The App tracks daily water intake including amounts, timestamps, and beverage types.

1.6 Account Information

The App offers three sign-in options:

• Anonymous (Default): No personal information collected. Data stored locally only.
• Google Sign-In: Email and name collected for cloud backup.
• Apple Sign-In: Email and name collected for cloud backup.

1.7 Device Information

We collect a device fingerprint (hashed identifier) to:

• Track trial period status and prevent abuse
• Associate referral codes with devices (Android only)

This fingerprint does not identify you personally and cannot be used to track you across other apps.

2. Data Storage

2.1 Local Storage (Primary)

The App operates with a privacy-first, offline-first approach. Your session data, body metrics, hydration logs, and settings are stored locally on your device using SQLite. We do not have access to this data.

2.2 Cloud Storage (Optional)

If you sign in with Google or Apple, you may optionally enable cloud backup:

• Backup data is stored in Google Firebase
• Data is encrypted in transit
• Only you can access your backup data
• Cloud backup is a premium feature

2.3 Trial and Subscription Data

We store the following in Firebase:

• Device fingerprint and trial status
• Subscription status (via RevenueCat)
• Referral code data (Android only)

2.4 Data Retention

We retain your data as follows:

• Local data: Retained on your device until you uninstall the app or clear app data
• Cloud backup data: Retained until you delete your account in-app (immediate removal)
• Subscription records: Managed by the app stores (Apple App Store / Google Play) and RevenueCat; cancel subscriptions through the respective store
• Device fingerprint: Retained indefinitely for trial abuse prevention (contains no personal information)

3. How We Use Your Data

We use your data to:

• Calculate sweat loss and hydration estimates
• Calculate health insights estimates
• Compute heart rate analytics including estimated calorie burn, cold shock tracking, thermal load scores, and acclimatization trends (when HR data is available)
• Sync session data with Apple Health (iOS, if enabled)
• Track session history and protocol compliance
• Provide cloud backup (if enabled)
• Manage trial periods and subscriptions
• Process referral rewards (Android only)
• Send push notifications (if enabled)
• Generate shareable session images

4. Legal Basis for Processing (EU/UK Users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases in accordance with the GDPR / UK GDPR:

• Performance of a contract (Art. 6(1)(b)): to provide the App's core functionality — calculating sweat and hydration estimates, tracking sessions, managing your account and subscription.
• Consent (Art. 6(1)(a)): for optional features you explicitly enable — cloud backup, Apple Health sync, push notifications, and Bluetooth heart rate monitoring. You may withdraw consent at any time in App settings.
• Legitimate interests (Art. 6(1)(f)): for device fingerprinting to prevent trial abuse, for security measures, and for improving App stability. These interests are balanced against your rights and we use the minimum data necessary.
• Legal obligation (Art. 6(1)(c)): where required by applicable law (for example, responding to lawful requests from authorities).

Special-category health data (heart rate, body metrics) is processed on the basis of your explicit consent (Art. 9(2)(a)) and is stored locally on your device; we do not receive it on our servers unless you enable cloud backup.

5. Third-Party Services

5.1 Firebase

We use Google Firebase for:

• Anonymous and social authentication
• Cloud data storage (backup)
• Trial tracking and referral tracking (referrals on Android only)

Firebase's privacy policy applies to this data processing.

5.2 RevenueCat

We use RevenueCat for subscription management:

• Receives purchase receipts from app stores
• Validates subscription status
• No payment details are stored by us

5.3 Apple Health (iOS)

With your permission, the App integrates with Apple Health:

• Writes workout sessions and active energy burned (when HR-based calorie estimates are available)
• Writes and reads dietary water entries for bidirectional hydration sync

Data read from Apple Health (such as hydration entries from other apps) is displayed in the App in real time but is not copied into the App's local database. Data written to Apple Health (such as workout sessions and calories) remains in Apple Health under Apple's privacy policy. All Apple Health data exchange happens locally on your device — we do not receive, store, or process any Apple Health data on our servers.

5.4 Social Platforms

When you share session images to social platforms (Instagram, Twitter, etc.), those platforms' privacy policies apply. We do not receive data from these shares.

6. International Data Transfers

Zen Zero Pty Ltd is based in Australia. Where cloud services are used (for authentication, trial tracking, cloud backup, or subscription management), your data may be processed on servers located in the United States or other countries outside the EEA, the UK, or Australia.

For transfers of personal data outside the EEA or the UK, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): our subprocessors Google Firebase and RevenueCat have incorporated the European Commission's Standard Contractual Clauses into their Data Processing Agreements, which we have accepted.
• Supplementary measures: data in transit is encrypted using HTTPS/TLS, and access to cloud infrastructure is restricted to authenticated personnel.

You may request a copy of the relevant transfer mechanism by contacting us at the address in Section 15.

7. Data Sharing

We do not sell or share your personal data with third parties, except:

• With service providers (Firebase, RevenueCat) as described above
• When required by law
• To protect our rights or safety
• With your explicit consent

8. Push Notifications

The App may send push notifications such as:

• Session reminders
• Streak protection alerts
• Protocol reminders
• Post-session hydration prompts

You can enable or disable notifications in App settings or device settings at any time.

9. Data Security

We implement security measures including:

• Local data stored in SQLite on your device
• HTTPS encryption for all network communications
• Secure Firebase authentication
• Hashed device fingerprints (not reversible)

Since most data is stored locally, you are responsible for your device's security.

10. Your Rights

10.1 Access

You can view all your data through the App interface.

10.2 Deletion

To delete your data:

• Local data: Uninstall the App or clear app data in device settings
• Cloud data and account: Open the App → Cloud Backup (or Profile) → Account section → Delete Account. Deletion is processed immediately and removes your Firebase account and all cloud backups. See our Account Deletion page for full details.

Device-based trial tracking data is retained after account deletion to prevent trial abuse. This data does not identify you personally.

10.3 Portability

You can export your session data through the App's backup feature.

11. Children's Privacy

The App is not intended for children under 13. We do not knowingly collect information from children under 13. If you believe we have collected information from a child under 13, please contact us and we will promptly delete it.

12. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you specific rights regarding your personal information.

• We do not sell your personal information. We have not sold personal information in the preceding 12 months and have no plans to do so.
• We do not share your personal information for cross-context behavioural advertising.
• Right to know: you may request details of the personal information we collect and how it is used (see Sections 1 and 3).
• Right to delete: you may delete your data at any time using the in-app account deletion flow (see Section 10.2).
• Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at the address in Section 15 with the subject line "CCPA Request."

13. Website

13.1 Website Data Collection

Our website (altaflip.com) is primarily informational and promotional. We do not use analytics tracking or collect personal information directly through the website. There are no account registrations, contact forms, or newsletter signups on the website.

13.2 Hosting and Infrastructure

Our website uses third-party hosting and security services that automatically process certain data:

• IP addresses (for security and abuse prevention)
• Request information (browser type, device, pages visited)
• Geographic location (country-level)

This data is used solely for security, performance optimization, and abuse prevention.

13.3 Cookies

Our website does not set tracking or advertising cookies. Our hosting provider may set functional cookies for security purposes (such as bot detection and security challenges). These cookies are essential for website security and cannot be disabled.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Continued use of the App or website after changes constitutes acceptance of the updated policy.