Legal
Privacy Policy
Last updated: April 2026
1. Who We Are
Haelo is operated by Haelo Life Ltd ("we", "us", "our"), a company registered in England and Wales. We are the data controller for personal data collected through the Haelo iOS app, website, and related services.
Contact: privacy@haelo.life
ICO registration: [ZB — to be confirmed upon registration]
Our primary legal framework is the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 (DPA 2018). The Privacy and Electronic Communications Regulations 2003 (PECR) govern our use of push notifications and email marketing.
Where Haelo is used by residents of the European Economic Area, we also comply with EU GDPR. We do not currently have an EU establishment and rely on the UK's adequacy decision from the European Commission (adopted June 2021) for any data flows from the EEA to the UK.
2. What Data We Collect
2.1 Account Data
| Data | Purpose |
|---|---|
| Apple ID identifier (anonymous token from Sign in with Apple) | Authentication — we never receive your Apple email address unless you choose to share it |
| Email address (if shared via Sign in with Apple or entered directly) | Account recovery, transactional emails (welcome, season alerts, GP report delivery) |
2.2 Profile Data
| Data | Notes |
|---|---|
| First name, last name | Optional. Used to personalise in-app messages and email communications. |
| Date of birth | Optional. Used to contextualise symptom patterns. |
| Pollen triggers (grass, tree, weed, etc.) | Core personalisation input |
| Symptom severity baseline | Mild / moderate / severe — set during onboarding |
| Current medications | Used for medication check-in, timing optimiser, personalised recommendations |
| Full postcode | Used to fetch localised pollen data, weather, and community statistics. Stored in your private Firestore document, visible only to you and our backend functions. |
| Notification preferences | Controls which push notifications you receive |
2.3 Symptom Logs
Each daily log you submit contains:
- Severity scores for nose, eyes, energy, sleep, and any other recorded dimensions (0–10 scale)
- Context tags (e.g. "outdoors", "took antihistamine", "windows open")
- Date and timestamp
Symptom logs are health data and are treated as special category data under Article 9 UK GDPR (see Section 3).
2.4 Health Data from Apple HealthKit
If you grant HealthKit permission, we read the following data types from your on-device HealthKit store:
| Data Type | How it is used |
|---|---|
| Sleep duration | Correlating sleep quality with symptom severity |
| Heart rate variability (HRV) | Physiological stress indicator in risk scoring |
| Blood oxygen saturation (SpO₂) | Respiratory health context |
| Respiratory rate | Respiratory health context |
| Step count | Activity context |
| Outdoor walking/running minutes | Outdoor exposure proxy |
| Daylight exposure | Outdoor exposure proxy |
| Alcohol consumption (derived) | Symptom correlation |
| Menstrual cycle data | Cycle-phase context — processed on-device only, never uploaded to our servers |
Important: All HealthKit data except menstrual cycle data is aggregated into daily snapshots and stored in your private Firestore document. Raw HealthKit records are not extracted or stored. This data is health data under Article 9 UK GDPR (see Section 3).
HealthKit data is never used for advertising and never shared with third parties except as part of your personal risk prediction (processed by our own Cloud Functions in europe-west2).
2.5 Biomarker Data (Premium, Optional)
| Data | Notes |
|---|---|
| Specific IgE blood test results | Uploaded manually. Stored encrypted in your private Firestore document. Not aggregated or shared. |
| Allergy-relevant genetic SNPs (~50 variants) | Extracted on-device from a genome file you provide. The raw genome file is never uploaded — only the small set of SNPs relevant to allergy and medication response is stored in Firestore. |
Biomarker data is genetic data and health data — special category data under Article 9 UK GDPR and Schedule 1 DPA 2018.
2.6 Location Data
| Type | How collected | Stored? |
|---|---|---|
| Full postcode | Entered by you during onboarding | Yes — in your profile |
| GPS coordinates | Requested on-demand (one-shot) when you tap "Use my location" | No — coordinates are passed to our pollen API function and discarded. Not written to Firestore. |
2.7 Crash and Diagnostic Data
We use Firebase Crashlytics for crash reporting. When the app crashes, Crashlytics automatically sends:
- A crash report including the stack trace and app state at time of crash
- Device type, iOS version, and app version
- A Crashlytics installation ID and your Haelo user ID (so we can correlate crashes to your account on request)
- A "tier" tag (free or premium) so we can spot tier-correlated regressions
Crashlytics is operated by Google. We do not transmit your postcode, name, email, or other profile fields in crash payloads. If you contact us about a crash, we can look it up by user ID and respond with context; otherwise crashes are reviewed in aggregate.
2.8 Analytics Data
We use Firebase Analytics to understand how the app is used. Firebase Analytics is operated by Google. We log custom product events (e.g. "log_completed", "paywall_shown", "education_card_opened") plus automatic events (session start, screen views) and onboarding progression. Where an event includes context (such as a symptom log), values are bucketed before sending — exact severity scores, tag contents, postcode, name, email, and health data are never sent to Firebase Analytics.
App Tracking Transparency: at the end of onboarding, iOS shows you a prompt asking whether to allow tracking. If you decline, Firebase Analytics still works but does not collect your Apple Identifier for Advertisers (IDFA) — you remain pseudonymous. If you allow it, IDFA is included so we can measure ad-attribution and cross-device journeys.
We set two Firebase Analytics user properties: your Haelo user ID (so we can correlate analytics to your account) and your subscription tier (free / premium). Both can be reset at any time by deleting your account.
2.9 Subscription Data
We use RevenueCat to manage subscriptions. RevenueCat receives:
- Your Haelo user ID (Firebase UID)
- Purchase events from the App Store
- Your subscription entitlement status
RevenueCat does not receive your health data, symptom logs, or postcode. Financial transaction data (card details, Apple Pay) is handled entirely by Apple — we never see it.
3. Special Category Data (Article 9 UK GDPR)
Your symptom logs, HealthKit health snapshots, medication records, IgE results, and genetic SNPs are special category data under Article 9 UK GDPR (and Schedule 1, Part 1 DPA 2018 for health data). This category attracts heightened legal protection.
Legal basis for processing special category data: We rely on your explicit consent (Article 9(2)(a) UK GDPR). This is the condition in Schedule 1, Part 1, paragraph 2 DPA 2018. You give explicit consent at distinct points:
- At the end of onboarding, where you are shown a clear summary of the health data to be collected and confirm acceptance before your first symptom log is saved
- Via the iOS system permission dialogue when you grant HealthKit access
- When you choose to upload biomarker data (IgE results or genome file) — a separate, specific consent step
Explicit consent for health data must be an active, affirmative act — we do not infer it from general use of the app.
You may withdraw consent at any time by disabling HealthKit access in iOS Settings → Privacy → Health, deleting your biomarker data in the app, or deleting your account entirely (see Section 10). Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
4. Third-Party Data Processors
We share data with the following sub-processors only to the extent necessary to operate the app:
| Service | Provider | Data shared | Location |
|---|---|---|---|
| Firebase (Firestore, Auth, Cloud Functions, Storage) | Google LLC | All user data stored in your profile, logs, and articles | EU (europe-west2, London) |
| Firebase Analytics | Google LLC | Bucketed feature-usage events, screen views, user ID, subscription tier | US (Standard Contractual Clauses) |
| Firebase Crashlytics | Google LLC | Crash reports, device info, installation ID, user ID, tier tag | US (Standard Contractual Clauses) |
| Ambee | Ambee Data Pvt Ltd | Your postcode or GPS coordinates (to fetch pollen data) | US (Standard Contractual Clauses) |
| OpenWeather | OpenWeather Ltd | Your postcode or GPS coordinates (to fetch weather data) | EU |
| Google Cloud Text-to-Speech | Google LLC | Article text (no personal data) | EU |
| RevenueCat | RevenueCat Inc. | Your Firebase UID, purchase events | US (Standard Contractual Clauses) |
| Resend | Resend, Inc. | Your email address (transactional emails only) | US (Standard Contractual Clauses) |
| Apple HealthKit | Apple Inc. | On-device — we read HealthKit data; Apple is not a sub-processor for this | On-device |
We do not sell your data. We do not share personal data with advertisers, data brokers, or any third party not listed above.
5. Legal Bases for Processing (UK GDPR / DPA 2018)
Where processing involves ordinary personal data, we rely on the grounds set out in Article 6 UK GDPR. Where it involves special category data, we additionally rely on a condition in Article 9(2) UK GDPR and Schedule 1 DPA 2018.
Push notifications are also governed by the Privacy and Electronic Communications Regulations 2003 (PECR), which require prior consent for electronic marketing communications. Our notifications fall into two categories: (a) service messages directly related to your use of the app (e.g. morning pollen briefings you have enabled) — these are strictly necessary communications under PECR; and (b) re-engagement or promotional notifications, for which we obtain separate consent.
Emails sent to your address fall into two categories:
- Transactional emails — welcome, GP report delivery, subscription lifecycle (purchase, billing issues, cancellation, refund), and account-security notifications. These are tied to your use of the service and do not constitute direct marketing under PECR. They are always sent and cannot be turned off while you have an account.
- Engagement emails — weekly review digest, season-start alerts, personal milestones, and re-engagement nudges. These are opt-in. New users choose per-channel during onboarding (every toggle defaults OFF); existing users can change their selection any time in Settings → Email preferences. We do not send these unless you have explicitly opted in.
| Processing activity | Art 6 basis | Art 9 condition (where applicable) |
|---|---|---|
| Authentication and account management | Art 6(1)(b) — contract performance | — |
| Delivering pollen data, forecasts, and risk predictions | Art 6(1)(b) — contract performance | — |
| Storing symptom logs and HealthKit snapshots | Art 6(1)(b) — contract performance | Art 9(2)(a) — explicit consent; Sch 1 para 2 DPA 2018 |
| Sending push notifications (service messages) | Art 6(1)(b) — contract performance; PECR reg 6 strictly necessary | — |
| Sending transactional emails (welcome, GP report, subscription lifecycle, account security) | Art 6(1)(b) — contract performance | — |
| Sending engagement emails (weekly review, season alerts, milestones, re-engagement) | Art 6(1)(a) — consent; PECR reg 22 — explicit opt-in collected at onboarding | — |
| Processing genetic / IgE biomarker data | Art 6(1)(a) — consent | Art 9(2)(a) — explicit consent; Sch 1 para 2 DPA 2018 |
| Firebase Analytics (bucketed feature-usage events + screen views) | Art 6(1)(f) — legitimate interest (product improvement) | Yes — App Tracking Transparency prompt at end of onboarding controls IDFA collection |
| Crash reporting via Firebase Crashlytics | Art 6(1)(f) — legitimate interest (app stability and security) | — |
| Community statistics (anonymised, aggregated) | Art 6(1)(f) — legitimate interest; Art 6(1)(a) for sharing | — |
| Subscription management via RevenueCat | Art 6(1)(b) — contract performance | — |
Where we rely on legitimate interest (Art 6(1)(f)), we have conducted a balancing test confirming that our interest does not override your rights and freedoms, taking into account the limited nature of the data involved and the safeguards in place.
6. Community Data
If you enable community sharing, your symptom logs contribute to anonymised community statistics for your local area. These statistics are:
- Aggregated at postcode area level (leading letters only: e.g. "SW1A 2AA" → "SW")
- Only published when a minimum of 10 users contribute from that area on a given day
- Computed server-side — your individual log is never exposed; only aggregate averages and percentages are stored
- Non-reversible — it is not possible to reconstruct individual logs from the aggregate data
Community sharing is opt-in and can be disabled at any time in Settings.
7. International Data Transfers
Your primary data (Firestore) is stored in Google's europe-west2 region (London) and does not leave the UK. Some third-party processors (Firebase Analytics, Firebase Crashlytics, Ambee, RevenueCat) are operated by US-based companies, which does not have a UK adequacy decision.
Where personal data is transferred to the US, we rely on the International Data Transfer Agreement (IDTA) — the UK's statutory transfer mechanism under s.119A DPA 2018, approved by the Secretary of State and laid before Parliament. Each of our US-based sub-processors is required to sign an IDTA (or the EU SCCs with a UK Addendum, which has equivalent status) before personal data is shared with them.
The relevant transfer mechanisms in place are:
| Processor | Transfer mechanism |
|---|---|
| Google LLC (Firebase Analytics + Crashlytics) | IDTA / EU SCCs + UK Addendum |
| Ambee Data | IDTA / EU SCCs + UK Addendum |
| RevenueCat Inc. | IDTA / EU SCCs + UK Addendum |
Copies of our IDTA documentation are available on request by emailing privacy@haelo.life.
8. Data Retention
| Data type | Retention period |
|---|---|
| Symptom logs | 2 years from date of logging, then summarised and originals deleted |
| HealthKit daily snapshots | 2 years from date of logging |
| Profile data (name, postcode, triggers, etc.) | Until account deletion |
| Crash reports (Firebase Crashlytics) | 90 days (Crashlytics default) |
| Analytics events (Firebase Analytics) | 14 months (Firebase default, configurable in Firebase Console). Events are linked to your user ID; deleting your account triggers a Firebase Analytics user-data deletion request via the user-ID export endpoint. |
| Email records (Resend) | 12 months from last send |
| Biomarker data (IgE, SNPs) | Until you delete it or delete your account |
9. Your Rights Under UK GDPR
As a UK resident, you have the following rights under the UK GDPR and DPA 2018:
- Access (Art 15): Request a copy of all personal data we hold about you (a Subject Access Request). This is free of charge.
- Rectification (Art 16): Correct inaccurate or incomplete data. Most profile data can be edited directly in the app.
- Erasure (Art 17): Request deletion of your personal data where there is no overriding legal basis for retention. See also Section 10 for the one-tap account deletion route.
- Portability (Art 20): Receive your data in a structured, commonly used, machine-readable format. Export your symptom logs as JSON from Settings → Data Export.
- Restriction (Art 18): Request that we restrict processing of your data — for example while the accuracy of data is disputed.
- Object (Art 21): Object to processing based on our legitimate interest (e.g. Firebase Analytics). We will cease that processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Withdraw consent (Art 7(3)): Withdraw consent at any time without affecting the lawfulness of prior processing. You can withdraw consent for HealthKit access in iOS Settings → Privacy → Health, and for push notifications in iOS Settings or in-app Settings.
- Not be subject to automated decision-making (Art 22): Our personalised risk predictions involve automated processing but do not produce legal or similarly significant effects on you, so Art 22 does not apply. You may nonetheless request human review of any prediction by contacting us.
How to exercise your rights: Email privacy@haelo.life. Under UK GDPR Article 12, we must respond within one calendar month of receiving your request. Where requests are complex or numerous, we may extend this by a further two months and will notify you accordingly.
Right to complain: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's supervisory authority under the DPA 2018 — at any time:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Live chat: ico.org.uk/global/contact-us/live-chat
If you are resident in an EEA member state, you may also complain to your local data protection supervisory authority.
10. Account Deletion
You can delete your account at any time from Settings → Delete Account. Deletion is immediate and permanent. It removes:
- Your user profile (name, postcode, triggers, medications, preferences)
- All symptom logs and HealthKit snapshots
- Biomarker data (IgE results, genetic SNPs)
- Your FCM notification token
- Your community sharing contributions (already anonymised at the area level — aggregate statistics may remain, but your individual contribution cannot be identified or removed from them)
After deletion, anonymised and aggregated community statistics that were computed before deletion are retained for statistical integrity.
11. Children and Age Restriction
Haelo is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If you believe a child under 16 has provided us with personal data, please contact privacy@haelo.life and we will delete it promptly.
The UK's digital age of consent under section 9 DPA 2018 (implementing UK GDPR Article 8) is 13 for information society services generally. We have voluntarily set our minimum age at 16 as a business policy, reflecting the sensitivity of the health and biometric data we process and the greater capacity of older teenagers to provide meaningful informed consent for processing of special category data under Article 9 UK GDPR.
12. Security
We implement the following measures to protect your data:
- All data transmitted between the app and our servers is encrypted in transit using TLS 1.2+
- Data at rest in Firestore is encrypted using Google-managed encryption keys
- Firestore security rules restrict access so that each user can only read and write their own data
- Crashlytics is configured to exclude sensitive personal data (postcode, name, profile fields) from crash payloads
- Our Cloud Functions require authentication before processing pollen and weather requests
No system is completely secure. If you discover a security vulnerability, please report it to privacy@haelo.life.
13. Changes to This Policy
We may update this policy when we introduce new features or data practices. We will notify you of material changes via an in-app notice at least 14 days before the change takes effect, and will update the "Last updated" date at the top of this page. Continued use of the app after the notice period constitutes acceptance of the updated policy.
14. Contact and Complaints
Data controller: Haelo Life Ltd (registered in England and Wales)
ICO registration reference: [ZB — to be confirmed]
Email: privacy@haelo.life
For Subject Access Requests, data deletion requests, or any other data rights enquiry, email us first. We will acknowledge within 72 hours and respond in full within one calendar month.
If you are dissatisfied with our handling of your data or our response to a rights request, you have the right to escalate directly to the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF