# Privacy Policy **Effective Date:** March 14, 2026 **Last Updated:** March 14, 2026 Helios Labs NY ("we," "us," or "our") operates the Heliant mobile application (the "App"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the App. By using Heliant, you agree to the collection and use of information as described in this policy. --- ## 1. Information We Collect ### 1.1 Account Information When you create an account, we collect: - **Email address** — used for authentication and account recovery - **Password** — securely hashed and stored by our authentication provider; we never store passwords in plain text If you choose to sign in with Apple, we receive: - **Apple ID token** — used to verify your identity - **Name and email** — as provided by Apple based on your sharing preferences ### 1.2 Photos When you use the morning scan feature, you take a photo using your device camera. We collect: - **The photo you capture** — uploaded as a compressed JPEG to our secure cloud storage for analysis - **Photo analysis result** — our server determines whether the photo depicts outdoor sunlight and returns a simple yes/no result to the App We do not access your device photo library. We only process photos you explicitly capture within the App. ### 1.3 Schedule Data When you configure your wind-down schedules, we collect: - **Wind-down times** — the time of day you set for each day of the week - **Enabled/disabled state** — whether each day's schedule is active This data is synced to our cloud database so your schedules persist across devices and app reinstalls. ### 1.4 App Selection Data You select which apps to block during wind-down periods using Apple's Screen Time framework. This selection is: - **Stored only on your device** — in a shared container accessible by the App and its extensions - **Never transmitted to our servers** — we do not know which apps you have selected - **Represented as opaque tokens** — Apple's FamilyControls framework provides only anonymized app tokens, not app names or identifiers ### 1.5 Locally Stored Data The following data is stored only on your device and is never sent to our servers: - Onboarding completion status - Last scan timestamp - Last blocking start timestamp - Timed focus block end time --- ## 2. Information We Do NOT Collect - **Location data** — we do not request or access your location - **Contacts, calendars, or health data** - **Device identifiers** for advertising purposes - **Browsing history or web activity** - **Analytics or telemetry data** — we do not use any third-party analytics, crash reporting, or tracking SDKs - **Advertising data** — we do not integrate any ad networks or tracking pixels - **Photo metadata** — EXIF data (including GPS coordinates) is stripped during JPEG compression before upload --- ## 3. How We Use Your Information We use the information we collect solely to provide and improve the App: | Information | Purpose | |---|---| | Email and password | Authenticate your account and enable secure access | | Photos | Analyze whether you are outdoors in sunlight to unlock your apps | | Schedule data | Enforce your chosen wind-down and wake-up schedule | | App selection (on-device only) | Block and unblock your selected apps at scheduled times | We do not use your data for advertising, profiling, or sale to third parties. --- ## 4. How We Store and Protect Your Information ### 4.1 Cloud Infrastructure We use [Supabase](https://supabase.com) as our backend provider for authentication, database storage, file storage, and serverless functions. Supabase infrastructure is hosted on Amazon Web Services (AWS). - All data in transit is encrypted via HTTPS/TLS - Authentication tokens are stored securely in your device's Keychain (managed by the Supabase SDK) - Passwords are hashed before storage; we never have access to your plain-text password ### 4.2 Photo Storage Photos are uploaded to a secure cloud storage bucket. Each photo is stored under your unique user ID and assigned a random identifier. Photos are used solely for the sunlight analysis feature. ### 4.3 On-Device Storage Schedule times, app selections, and blocking timestamps are stored in a shared app group container (`group.com.helioslabsny.heliant`) accessible only by the App and its authorized extensions. This data does not leave your device except for schedule data synced to our database. --- ## 5. Third-Party Services The App uses the following third-party service: | Service | Purpose | Privacy Policy | |---|---|---| | Supabase | Authentication, database, file storage, serverless functions | [supabase.com/privacy](https://supabase.com/privacy) | If you sign in with Apple, Apple's privacy policy applies to the authentication data they process. See [apple.com/privacy](https://www.apple.com/privacy/). We do not share your data with any other third-party services, advertisers, or data brokers. --- ## 6. Apple Screen Time & FamilyControls Heliant uses Apple's Screen Time APIs (FamilyControls, DeviceActivity, and ManagedSettings) to block and unblock apps on your device. These frameworks are privacy-preserving by design: - App selections are represented as **opaque tokens** — neither we nor any third party can determine which specific apps you have chosen - All blocking enforcement happens **on your device** via Apple's system frameworks - We do not receive, transmit, or store any information about your app usage, screen time, or which apps are installed on your device --- ## 7. Notifications The App may send you local notifications (e.g., a reminder if you miss your morning scan). These notifications are generated entirely on your device. We do not use push notification services that would require transmitting notification tokens to our servers. --- ## 8. Data Retention - **Account data** (email, hashed password) is retained for as long as your account exists - **Schedule data** is retained for as long as your account exists - **Photos** are retained in cloud storage for as long as your account exists - **On-device data** is retained until you uninstall the App or reset the App's data --- ## 9. Your Rights and Choices You have the right to: - **Access your data** — request a copy of the personal data we hold about you - **Delete your account** — contact us to delete your account and all associated data, including uploaded photos and schedule data - **Revoke permissions** — you can revoke camera and notification permissions at any time in your device's Settings. You can revoke Screen Time authorization in Settings > Screen Time - **Sign out** — sign out at any time from the App's settings to clear your session from the device To exercise any of these rights, contact us at the address listed below. --- ## 10. Children's Privacy Heliant is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us so we can delete it. --- ## 11. Changes to This Policy We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the "Last Updated" date at the top of this document. Continued use of the App after changes constitutes acceptance of the revised policy. --- ## 12. Contact Us If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: **Helios Labs NY** Email: [support@helioslabsny.com] ---