Privacy Policy

Version: 1.0
Effective Date: June 1, 2026
Last Updated: June 1, 2026

Table of Contents

1. About This Policy
2. Who We Are
3. Information We Collect
4. How We Use Your Information
5. Legal Bases for Processing
6. Data Storage and Security
7. Data Sharing and Third Parties
8. Data Retention
9. Your Rights
10. Account and Data Deletion
11. Children's Privacy
12. International Data Transfers
13. Cookies and Website Tracking
14. Changes to This Policy
15. Contact Us

Regional Addenda:

• A. European Economic Area, UK & Switzerland
• B. United States and Canada
• C. Brazil
• D. Latin America — Mexico and Argentina
• E. Japan and South Korea
• F. Middle East — UAE and Saudi Arabia
• G. India and Indonesia
• H. Turkey
• I. Russia and CIS — Kazakhstan, Uzbekistan
• J. Australia
• K. Africa — South Africa, Nigeria, Kenya, Egypt
• L. Minimum Age Requirements by Region

1. About This Policy {#about}

This Privacy Policy explains how HelAI ("we", "us", "our") collects, uses, stores, and protects personal information when you use the HelAI mobile application (available on iOS and Android) and the website helai.app (collectively, the "Service").

We are committed to handling your personal information transparently and in accordance with applicable data protection laws across all markets in which we operate. We build privacy protections into our product by design: the AI pose-tracking feature runs entirely on your device, and health data from Apple Health or Google Health Connect is never transmitted to our servers.

Please read this policy carefully. By creating an account or using the Service, you acknowledge that you have read and understood this policy.

2. Who We Are {#who-we-are}

Data Controller / Operator:
Konstantin Yeftifeyev, operating as HelAI
Republic of Kazakhstan

Privacy Contact:
[email protected]

General Contact:
[email protected]

Website:
https://helai.app

3. Information We Collect {#information-we-collect}

We collect the minimum information necessary to provide the Service. Below is a complete description of every category of data we collect.

3.1 Account and Identity Data

When you create an account, we collect:

• Email address — used for authentication and communication
• Display name (first and last name) — used to personalize your experience
• Authentication provider — whether you signed in via Google, Apple, or email/password
• User identifier (UID) — a unique identifier assigned by our authentication service (Firebase Authentication)

This data is stored both locally on your device and in our cloud authentication system.

3.2 Fitness and Workout Data

When you use the app to track workouts, we collect:

• Workout sessions — date, duration, name, and optional notes
• Exercise history — exercises performed within each session, including type and order
• Set data — number of sets, repetitions, and weight used per exercise
• Personal records (PRs) — automatically calculated from your set history
• Goals — fitness goals you create and their progress
• Exercise preferences — custom rest timers, execution notes, and settings per exercise

Storage by default: All fitness and workout data is stored locally on your device in an encrypted database. We do not transmit your workout history to our servers as part of the free tier of the Service.

Cloud Backup (planned premium feature): We plan to introduce an optional cloud backup feature as part of a paid subscription. If and when you enable cloud backup, your workout history, personal records, and goals will be securely transmitted to and stored on our servers solely for the purpose of backup and multi-device synchronization. You will be asked to provide explicit consent before cloud backup is activated, and you may disable it at any time from within the app. We will update this Privacy Policy before this feature launches.

3.3 Health and Biometric Data

If you grant permission, the app reads the following health data from your device's health platform (Apple Health on iOS, Google Health Connect on Android):

• Sleep duration
• Resting heart rate and heart rate variability (HRV)
• Daily step count
• Weight, height, and body fat percentage

This data is read-only and stays on your device. It is displayed in the app's Home screen Readiness Card and Profile Body Metrics section. It is stored locally in an encrypted database on your device and is never transmitted to our servers. Granting these permissions is optional; refusing them does not prevent you from using the core features of the app.

3.4 Camera and AI Pose Detection Data

The AI coaching feature uses your device's camera to analyze your exercise form in real time:

• Video frames are processed entirely on your device by a local machine learning model (MediaPipe Pose Landmarker)
• No video, images, or pose data are ever recorded, stored, or transmitted anywhere — not to our servers, not to any third party
• Camera access is used only while you are actively using the AI coaching screen
• The ML model itself is downloaded once to your device as part of the app installation or an on-demand asset pack — model inference always happens locally

3.5 Device and Technical Data

To detect and fix crashes and technical issues, we automatically collect:

• Device model and manufacturer
• Operating system and version
• App version
• Crash stack traces and error logs
• App usage breadcrumbs (sequence of actions leading to an error)

This data is collected by Firebase Crashlytics. It is used solely for debugging and improving app stability. It does not include your personal information such as name or email, though a user identifier may be attached to crash reports to help us investigate issues affecting specific users.

3.6 Usage Analytics

To understand how the app is used and improve the product, we collect:

• Screen view events — which screens you visit within the app (for example: "Home", "Profile", "ActiveWorkout", "PoseCamera")

We collect only screen navigation events. We do not collect your exercise content, workout data, or any personally identifiable information through our analytics. User identifiers are not attached to analytics events.

This data is collected by Firebase Analytics.

3.7 Wearable Device Data

If you pair a Garmin smartwatch with the app, workout events and AI coaching feedback are exchanged between the app and your watch via Bluetooth Low Energy (BLE). This communication is device-to-device only — no data from this exchange is transmitted to our servers or to Garmin's servers.

3.8 Website and Contact Form Data

When you visit helai.app or submit a message through our contact form, we collect:

• Language preference — stored in your browser's local storage to remember your language choice
• Contact form submissions — your name, email address, subject, and message content, used solely to respond to your inquiry

4. How We Use Your Information {#how-we-use}

We use the information we collect for the following specific purposes:

We do not use your data for advertising, profiling for non-fitness purposes, or sale to third parties.

5. Legal Bases for Processing {#legal-bases}

For users in jurisdictions that require a legal basis for data processing (including the EU, UK, Brazil, and others), we process your data on the following bases:

You have the right to object to processing based on legitimate interests. See Section 9 for how to exercise your rights.

6. Data Storage and Security {#storage-security}

6.1 Local Storage (On-Device)

Most of your personal data — including all workout history, health data, personal records, and goals — is stored locally on your device using:

• SQLite database encrypted with SQLCipher (AES-256 encryption at rest)
• Data is accessible only to the HelAI application

6.2 Cloud Storage

Account data (email, display name, UID) is stored in Firebase Authentication, operated by Google LLC. Firebase services are hosted on Google Cloud Platform infrastructure.

Firebase Data Connect (our exercise catalog database) is hosted in the europe-southwest1 region (Spain, EU).

When you enable cloud backup (planned premium feature), your workout data will be stored in the same region (europe-southwest1 or closer to your location, where available).

6.3 Security Measures

We implement the following security practices:

• Encryption in transit: All communications between the app and our backend use TLS 1.3
• Encryption at rest: Local database encrypted with SQLCipher (AES-256); Firebase at-rest encryption
• Access controls: Firebase Authentication with scoped JWT tokens; API requests authenticated with Firebase ID tokens
• Minimum data principle: We collect only what is necessary for each feature
• Regular security reviews: Dependencies are kept up to date; security is considered during code review

No method of transmission or storage is 100% secure. In the event of a data breach that poses a risk to your rights, we will notify you and relevant authorities as required by applicable law.

7. Data Sharing and Third Parties {#data-sharing}

We do not sell, rent, or trade your personal information to any third party. The following third-party service providers process some of your data on our behalf as data processors:

7.1 Google LLC — Firebase Platform

Services used: Firebase Authentication, Firebase Data Connect, Firebase Analytics, Firebase Crashlytics
Data processed: Account credentials, exercise catalog queries, screen view events, crash logs
Location: Google Cloud Platform — primarily europe-southwest1 (Spain, EU)
Legal framework: Google Cloud Data Processing Addendum (Standard Contractual Clauses included)
Link: Google Cloud Privacy

7.2 Cloudflare, Inc.

Service used: Cloudflare Turnstile (anti-spam verification on our website contact form)
Data processed: A challenge verification token — no user tracking, no cookies set for advertising
Location: Cloudflare global network
Link: Cloudflare Privacy Policy

7.3 Resend, Inc.

Service used: Email delivery (for contact form responses)
Data processed: Your email address and message content, used only to send our reply
Link: Resend Privacy Policy

7.4 What We Do NOT Do

• We do not sell your personal information to data brokers, advertisers, or any other party
• We do not share health data with any third party (it never leaves your device)
• We do not use any advertising networks or ad tracking SDKs
• We do not share workout history or personal records with any third party
• Garmin ConnectIQ integration operates exclusively over BLE — no data reaches Garmin's servers from HelAI

7.5 Legal Disclosures

We may disclose your information if required to do so by law, court order, or governmental authority. Where possible, we will notify you before complying with such requests unless prohibited by law.

8. Data Retention {#data-retention}

After your account is deleted, we retain no personal data except where required by applicable law (for example, fraud prevention or tax compliance).

9. Your Rights {#your-rights}

Regardless of where you live, you have the following rights with respect to your personal data:

• Right of Access: You may request a copy of the personal data we hold about you
• Right to Rectification: You may request correction of inaccurate or incomplete data
• Right to Erasure: You may request deletion of your personal data ("right to be forgotten")
• Right to Data Portability: You may request your data in a structured, machine-readable format
• Right to Object: You may object to processing based on our legitimate interests (including analytics and crash reporting)
• Right to Restriction: You may request that we limit how we use your data in certain circumstances
• Right to Withdraw Consent: Where processing is based on consent (health data, cloud backup), you may withdraw consent at any time without affecting the lawfulness of prior processing

How to Exercise Your Rights

In-app: Go to Profile → Settings to manage health data permissions and notifications.

By email: Send your request to [email protected] with the subject line "Data Rights Request" and include:

• The right you wish to exercise
• Your account email address
• A brief description of your request

Response time: We will respond to all verified requests within 30 calendar days. In complex cases, we may extend this by an additional 30 days with prior notice.

We will not discriminate against you for exercising your rights.

10. Account and Data Deletion {#account-deletion}

You have the right to delete your account and all associated data at any time. Account deletion is irreversible.

Method 1: In-App Deletion (Recommended)

1. Open the HelAI app
2. Navigate to Profile
3. Tap Settings
4. Select Delete Account
5. Confirm your decision

Method 2: Email Request

Send an email to [email protected] with the subject line "Account Deletion Request". Include the email address associated with your account. We will process your request within 30 days.

What Gets Deleted

Upon account deletion:

• Firebase account (authentication credentials, email, name) — deleted from Firebase Authentication
• Cloud-synced data — if cloud backup is enabled, all synced workout data and preferences are permanently deleted from our servers
• Local data — we will provide instructions for clearing local data from your device; uninstalling the app removes all locally stored data

Health Data

Health data from Apple Health or Google Health Connect is stored only on your device. It is automatically removed when you uninstall the app. Revoking health permissions from your device settings stops any future data reading.

Exceptions

We may retain minimal records for a limited period where required by law (such as for fraud prevention or tax records). Such retained data will be kept strictly confidential and deleted as soon as legally permitted.

11. Children's Privacy {#childrens-privacy}

The Service is intended for users who are 16 years of age or older (global default). We do not knowingly collect personal information from children below this age threshold.

If we become aware that we have collected personal information from someone under the applicable minimum age without appropriate consent, we will delete that information promptly.

Parents or guardians who believe a minor has provided personal information without proper consent may contact us at [email protected].

In certain jurisdictions, the minimum age is higher. See Section L — Minimum Age Requirements by Region for a complete table.

12. International Data Transfers {#international-transfers}

We are based in the Republic of Kazakhstan. Your data may be processed in countries other than your own, including:

• Spain (EU) — Firebase Data Connect and Firebase Authentication are hosted in the europe-southwest1 region
• United States — Google LLC's global infrastructure and Cloudflare's network span the US

We take the following measures to protect your data in international transfers:

• Standard Contractual Clauses (SCCs): Our agreement with Google LLC (Firebase) includes the EU Standard Contractual Clauses approved by the European Commission
• Data Processing Agreements: We have signed data processing agreements with all sub-processors
• Minimal transfer principle: Health data, workout history, camera data, and personal records are not transferred internationally — they stay on your device
• Consent: Where required by your local law (Japan, Turkey, certain other jurisdictions), your use of the Service and acceptance of this policy constitutes your consent to the cross-border transfer of your account data as described

13. Cookies and Website Tracking {#cookies}

We use only essential, strictly necessary data on our website (helai.app):

• Language preference — stored in your browser's localStorage (not a cookie) to remember the language you selected. This is not shared with any third party.
• Cloudflare Turnstile — our contact form uses Cloudflare Turnstile for anti-spam verification. This does not set tracking cookies and does not build a user profile. It is strictly necessary for form security.

We do not use:

• Advertising or tracking cookies
• Third-party analytics cookies
• Social media tracking pixels
• Session recording tools

A cookie consent banner is not displayed because no non-essential cookies are used.

14. Changes to This Policy {#changes}

We may update this Privacy Policy from time to time. When we make material changes — particularly changes that expand the types of data we collect or share — we will notify you:

• In-app notification displayed on your next app launch
• Email notification to the address associated with your account (for significant changes)
• Updated "Last Updated" date at the top of this page

Minor changes (such as clarifications or corrections) may be made without advance notice. We encourage you to review this policy periodically.

Your continued use of the Service after notification of changes constitutes acceptance of the updated policy. If you disagree with any changes, you should discontinue use and request account deletion.

15. Contact Us {#contact}

If you have questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

Privacy inquiries:
[email protected]

General support:
[email protected]

Website:
https://helai.app/support

We aim to respond to all privacy inquiries within 30 calendar days.

Regional Addenda

The following sections supplement the general policy above for users in specific jurisdictions. Where there is a conflict between this regional addendum and the general policy, the regional addendum applies to users in that jurisdiction.

A. European Economic Area, United Kingdom, and Switzerland {#region-eea}

This section applies to users in EU/EEA member states, the United Kingdom, and Switzerland.

Legal Bases (GDPR Article 6 and Article 9)

Health data is classified as special category personal data under Article 9 GDPR and may only be processed with your explicit consent, which you grant when you authorize access to Apple Health or Google Health Connect. You may withdraw this consent at any time through your device's system settings.

All other processing is conducted on the bases described in Section 5.

Your GDPR Rights

In addition to the rights listed in Section 9, you have the right to:

• Lodge a complaint with your national supervisory authority (for example, the BfDI in Germany, the CNIL in France, the AEPD in Spain, or the ICO in the United Kingdom)
• Request information about any automated decision-making that significantly affects you (there is currently none)
• Receive information about the source of your data (all data is provided directly by you)

Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) for our health data processing activities and pose detection feature, as required by Article 35 GDPR.

Cross-Border Transfers

Data transferred to the Republic of Kazakhstan (our controller's location) is protected by the Standard Contractual Clauses approved under Commission Implementing Decision (EU) 2021/914. Our agreement with Google LLC (Firebase) also incorporates SCCs for cross-border transfers.

B. United States and Canada {#region-us-ca}

California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you additional rights.

Categories of personal information we collect (CCPA categories):

We do not sell or share your personal information. We have not sold or shared personal information in the preceding 12 months. California residents may submit a "Do Not Sell or Share My Personal Information" request to [email protected], though such a request is unnecessary as we do not sell or share PI.

Your California rights:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing (not applicable — we do not sell/share)
• Right to limit use of sensitive personal information (health data used only for app functionality)
• Right to non-discrimination for exercising rights

Sensitive personal information: Health data from your device's health platform is classified as sensitive personal information under CPRA. We use it only to provide the core features of the Service (Readiness Card, Body Metrics). It is not used for inference, advertising, or profiling.

Authorized agents: You may designate an authorized agent to submit CCPA requests on your behalf by providing written authorization to [email protected].

Other US States

Residents of Virginia, Colorado, Connecticut, Texas, Utah, and other states with comprehensive privacy laws have rights similar to those described in Section 9. We respond to all verifiable consumer requests in accordance with applicable state law.

Canada (PIPEDA and Quebec Law 25)

We process personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, for Quebec residents, Act Respecting the Protection of Personal Information in the Private Sector (Law 25).

• Purpose limitation: We collect personal information only for the purposes described in this policy
• Consent: Meaningful consent is obtained for all processing
• Health information: Treated as sensitive; requires explicit consent
• Breach notification: Material breaches will be reported to the Office of the Privacy Commissioner of Canada (OPC)
• Quebec residents: This policy is available in French at helai.app/fr/privacy

Questions or complaints: You may contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

C. Brazil {#region-brazil}

This section applies to users in Brazil. Processing of your personal data complies with the Lei Geral de Proteção de Dados (LGPD — Law No. 13,709/2018).

Lawful Bases (LGPD Article 7 and Article 11)

Personal data is processed on the basis of contract performance (for account data), consent (for health data), and legitimate interest (for analytics and crash reporting). Health data is classified as sensitive personal data under LGPD Article 11 and is processed on the basis of your explicit consent.

Your LGPD Rights

In addition to Section 9, you have the following rights under LGPD:

• Confirmation of the existence of processing
• Access to your data
• Correction of incomplete, inaccurate, or outdated data
• Anonymization, blocking, or deletion of unnecessary or unlawful data
• Portability of your data to another service provider
• Information about which parties your data has been shared with
• Information about the consequences of refusing consent
• Withdrawal of consent at any time

Data Protection Officer (Encarregado)

Name: Konstantin Yeftifeyev
Contact: [email protected]

International Data Transfer

Your personal data (account data) is transferred to the European Union (Spain) for storage on Google Cloud Platform. This transfer is conducted on the basis of consent and contractual clauses providing equivalent protection to the LGPD, in accordance with LGPD Article 33.

Complaints

If you believe your rights have been violated, you may file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

This Privacy Policy in Portuguese serves as the required LGPD privacy notice for Brazilian users.

D. Latin America — Mexico and Argentina {#region-latam}

Mexico (LFPDPPP)

Processing of your personal data in Mexico complies with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP).

This Privacy Policy constitutes the Aviso de Privacidad required by Mexican law.

Sensitive personal data: Health data is classified as sensitive personal data under Mexican law and is processed only with your explicit, written consent (granted digitally in-app).

ARCO Rights: You have rights of Access, Rectification, Cancellation, and Opposition (derechos ARCO). To exercise your ARCO rights, contact [email protected].

Responsable: Konstantin Yeftifeyev (HelAI), [email protected]

Age: Users under 18 years of age in Mexico must have parental or guardian consent to use this Service.

Argentina (Ley 25.326)

Processing of personal data in Argentina complies with the Ley de Protección de los Datos Personales No. 25,326 and regulations of the Agencia de Acceso a la Información Pública (AAIP).

Health data is classified as sensitive data and processed only with explicit consent.

Your rights: You have rights of access, rectification, deletion, and opposition. Requests may be submitted to [email protected]. If your request is not addressed satisfactorily, you may direct complaints to the AAIP at argentina.gob.ar/aaip.

E. Japan and South Korea {#region-japan-korea}

Japan (APPI)

This section applies to users in Japan. Processing complies with the Act on the Protection of Personal Information (APPI), as amended.

Cross-border transfer disclosure: Your account data (email, display name, UID) is transferred to and stored in the Republic of Kazakhstan (our operator's location) and the European Union (Spain, Google Cloud). The Republic of Kazakhstan does not have a data protection framework deemed equivalent to Japan's APPI by the Personal Information Protection Commission (PPC). By creating an account and using the Service, you explicitly consent to this cross-border transfer of your personal data.

Health data is not transferred cross-border (it stays on your device) and is classified as "special care-required personal information" under APPI. It is processed only with your explicit consent.

Purpose of use: As specified in Section 4 of this policy.

Your rights: You may request disclosure, correction, cessation of use, or deletion of your personal information by contacting [email protected].

South Korea (PIPA)

This section applies to users in South Korea. Processing complies with the Personal Information Protection Act (PIPA), as amended in 2023.

Separate consent for sensitive information: Health data is classified as sensitive information under PIPA. Your consent to health data access (granted via in-app permission request) is separate from your acceptance of general Terms of Service and is obtained independently.

Personal Information Protection Officer: Konstantin Yeftifeyev, [email protected]

Cross-border transfer: Account data is transferred to Google Cloud (European Union, Spain) for storage. This transfer occurs on the basis of your consent. You will be informed of the recipient (Google LLC), the country (EU/Spain), the purpose of use, and your right to refuse.

Your PIPA rights: Access, correction, deletion, suspension of processing. Requests: [email protected]. If unresolved, you may complain to the Personal Information Protection Commission (PIPC) at pipc.go.kr.

Breach notification: In the event of a data breach, we will notify affected Korean users without delay per PIPA requirements.

F. Middle East — UAE and Saudi Arabia {#region-gulf}

United Arab Emirates (UAE PDPL)

Processing complies with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL).

Health data is classified as sensitive data and processed only with your explicit consent.

Your rights: Access, correction, deletion, restriction, objection, and portability. Contact [email protected].

Data breaches: We will notify the UAE Data Office and affected users without undue delay in the event of a breach.

Saudi Arabia (PDPL)

Processing complies with the Personal Data Protection Law (PDPL) of Saudi Arabia and its implementing regulations.

Health data is classified as sensitive data and processed only with explicit consent.

Your rights: Right to be informed, access, correction, and destruction. Contact [email protected].

We monitor the evolving implementation of Saudi Arabia's data localization requirements and will update our practices accordingly.

G. India and Indonesia {#region-india-indonesia}

India (DPDPA)

Processing of personal data of Indian residents complies with the Digital Personal Data Protection Act, 2023 (DPDPA).

Consent: We obtain your free, specific, informed, and unambiguous consent before processing your personal data. You may withdraw consent at any time.

Age: In India, users under 18 years of age must have verifiable parental or guardian consent before using this Service, in accordance with the DPDPA's provisions on children's data.

Your rights as a data principal: Right to access information about your personal data; right to correction and erasure; right to grievance redressal. Contact [email protected].

Grievance officer: Konstantin Yeftifeyev, [email protected]

Data breach: We will notify the Data Protection Board of India and affected users without delay as required.

Indonesia (PDP Law)

Processing complies with Law No. 27 of 2022 on Personal Data Protection (PDP Law), effective October 2024.

Health data is classified as specific personal data (data pribadi yang bersifat spesifik) and processed only with your explicit consent.

Age: In Indonesia, users under 17 years of age must have parental or guardian consent.

Your rights: Access, correction, deletion, withdrawal of consent, objection, suspension. Contact [email protected].

Breach notification: We will notify affected Indonesian users and competent authorities within 3×24 hours of becoming aware of a breach affecting your data, as required.

H. Turkey {#region-turkey}

This section applies to users in Turkey. Processing complies with the Law on Protection of Personal Data No. 6698 (KVKK).

Sensitive data: Health data is classified as special categories of personal data (özel nitelikli kişisel veri) under KVKK Article 6 and is processed only with your explicit consent.

Data controller: Konstantin Yeftifeyev (HelAI), Republic of Kazakhstan, [email protected]

Cross-border transfer: The Republic of Kazakhstan is not on Turkey's list of countries with adequate protection. Accordingly, your data is transferred on the basis of your explicit consent and a commitment by the data controller to ensure equivalent protection, per KVKK Article 9. This policy, together with your account creation, constitutes your consent to this transfer.

Your KVKK rights:

• To learn whether personal data is processed
• To request information about processing
• To learn the purpose and appropriateness of processing
• To know the third parties to whom your data is transferred
• To request correction or deletion
• To object to processing
• To demand compensation for damages

To exercise your rights, contact [email protected].

I. Russia and CIS — Kazakhstan, Uzbekistan {#region-cis}

Russia (Federal Law No. 152-FZ)

This section applies to users in the Russian Federation.

International processing: Your personal data (account data: email, display name, UID) is processed outside the Russian Federation, specifically on Google Cloud Platform infrastructure in the European Union (Spain). Health data, workout history, and personal records are stored exclusively on your device and are not subject to cross-border transfer.

By creating an account, you provide your consent to the cross-border transfer of your account data in accordance with Article 12 of Federal Law No. 152-FZ "On Personal Data". You may withdraw this consent by deleting your account.

Your rights: Access to your data, correction, blocking, deletion, and withdrawal of consent. Contact [email protected].

Data localization note: We are aware of the data localization requirements of 152-FZ regarding initial collection and storage of personal data of Russian citizens on servers located in Russia. Our primary data collection and storage occurs on Google Cloud (Spain, EU). We rely on your consent for cross-border transfer as provided for by law. We do not currently maintain Russia-based infrastructure.

Kazakhstan (Law No. 94-V)

This is our home jurisdiction. Processing complies with the Law of the Republic of Kazakhstan No. 94-V "On Personal Data and Their Protection" (2013, as amended).

Health data is classified as "restricted access personal data" (персональные данные ограниченного доступа) and is processed only with your explicit consent.

Your rights: Access, correction, deletion, and revocation of consent. Contact [email protected].

Uzbekistan (Law "On Personal Data," 2019)

Processing of personal data of Uzbekistani users complies with the Law "On Personal Data" (2019, as amended 2021). Data is processed with your consent. Health data is processed as sensitive data with explicit consent.

Your rights: Access, correction, deletion, and withdrawal of consent. Contact [email protected].

J. Australia {#region-australia}

This section applies to users in Australia. Processing complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Sensitive information: Health data (including sleep, heart rate, weight, body fat, and steps) constitutes "sensitive information" under the Privacy Act and is processed only with your explicit consent (granted via in-app permission request).

Overseas recipients: Your account data is processed by Google LLC, which operates infrastructure in the United States and European Union. We have taken reasonable contractual steps to ensure Google LLC provides equivalent privacy protections (including SCCs under their data processing agreement).

Under APP 8.1, if an overseas recipient handles your information in a way that would breach the APPs, we remain accountable.

Your rights: You have the right to access and correct your personal information. Contact [email protected].

Complaints: If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Notifiable Data Breaches: We will notify the OAIC and affected Australian users of any eligible data breach (one that is likely to result in serious harm) as required by the Notifiable Data Breaches (NDB) scheme.

K. Africa — South Africa, Nigeria, Kenya, Egypt {#region-africa}

South Africa (POPIA)

Processing complies with the Protection of Personal Information Act, 2013 (POPIA).

Health data is classified as special personal information and processed only with your explicit consent.

Responsible party: Konstantin Yeftifeyev (HelAI), Republic of Kazakhstan.

Age: In South Africa, users under 18 years of age are considered children. Processing of personal information of children requires consent from a competent person (parent or guardian).

Your rights: Right to be notified, right of access, right to correction, right to deletion, right to object. Contact [email protected].

Complaints: You may lodge a complaint with the Information Regulator of South Africa at inforegulator.org.za.

Nigeria (NDPR/NDPA)

Processing complies with the Nigeria Data Protection Regulation (NDPR, 2019) and the Nigeria Data Protection Act (NDPA, 2023).

Data Protection Impact Assessment: We have conducted a DPIA for our health data processing activities, as required for high-risk processing.

Your rights: Consent-based rights including access, rectification, deletion. Contact [email protected].

Complaints: Complaints may be directed to the Nigeria Data Protection Commission (NDPC) at ndpc.gov.ng.

Kenya (Data Protection Act, 2019)

Processing complies with the Data Protection Act, No. 24 of 2019.

Health data is processed as sensitive personal data with explicit consent.

Age: In Kenya, users under 18 years of age require parental or guardian consent.

Your rights: Per Section 26: access, rectification, deletion, portability, objection. Contact [email protected].

Complaints: You may file a complaint with the Office of the Data Protection Commissioner (ODPC) at odpc.go.ke.

Egypt (Law No. 151/2020)

Processing complies with Egypt's Personal Data Protection Law No. 151 of 2020.

Health data is processed as sensitive data with your explicit consent.

Your rights: Access, correction, deletion, restriction, portability. Contact [email protected].

L. Minimum Age Requirements by Region {#region-age-table}

The minimum age to use HelAI without parental consent varies by region:

Our global policy: HelAI is designed for users 16 years of age and older. In jurisdictions where the minimum age is higher (India, Mexico, Indonesia, South Africa, Kenya), users under that jurisdiction's threshold must have parental or guardian consent. Users who are under 13 years of age in any jurisdiction may not use the Service under any circumstances.

This Privacy Policy was prepared for the HelAI mobile application and website. It is provided for informational purposes and does not constitute legal advice. We recommend consulting a qualified attorney in your jurisdiction for specific legal guidance.