Privacy Policy

Version 1.0 · Last Updated: 2026-02-08

1. Introduction

Welcome to SaunaTracker Pro. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our iOS and watchOS application.

SaunaTracker Pro is a health and wellness application that helps you track heat and cold exposure therapy sessions (such as sauna, steam room, and cold plunge sessions) and monitors health metrics to evaluate session effectiveness.

Your privacy is important to us. We are committed to protecting your personal information and being transparent about our data practices. This policy is designed to help you understand:

• What information we collect
• Why we collect it
• How we use it
• Your rights regarding your information

2. Who We Are (Data Controller)

Data Controller: JDP Software Pty Ltd, Australia

Privacy Officer: Privacy Officer, JDP Software Pty Ltd
Email: privacy@saunatracker.pro

For users in the European Economic Area (EEA), if you have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority.

For users in Australia, you may contact the Office of the Australian Information Commissioner (OAIC) if you have concerns about how we handle your personal information.

3. Information We Collect

3.1 Health Data from Apple HealthKit

With your explicit permission, SaunaTracker Pro reads and writes the following health data types through Apple HealthKit:

Data Type	Read	Write	Purpose	Lawful Basis
Heart Rate and Resting Heart Rate	Yes	Yes, heart-rate samples may be saved during sessions	Monitor cardiovascular response during sessions	Explicit consent (GDPR Art. 9(2)(a))
Heart Rate Variability (HRV)	Yes		Assess recovery and adaptation	Explicit consent (GDPR Art. 9(2)(a))
Blood Oxygen Saturation (SpO2)	Yes		Monitor oxygen levels during sessions	Explicit consent (GDPR Art. 9(2)(a))
Sleep Analysis and Sleep Score	Yes		Correlate sleep quality with session timing	Explicit consent (GDPR Art. 9(2)(a))
Workouts	Yes	Yes	Record and retrieve therapy sessions	Explicit consent + Contract performance
Workout Routes		Yes, on Apple Watch when route capture is enabled	Attach route information to Apple Health workouts	Explicit consent + Contract performance
Active and Basal Energy	Yes	Yes, active energy may be saved during sessions	Measure session activity and energy expenditure	Explicit consent (GDPR Art. 9(2)(a))
Step Count	Yes		Improve sleep onset and recovery estimates	Explicit consent (GDPR Art. 9(2)(a))
Blood Pressure	Yes		Enriched health analysis (if available)	Explicit consent (GDPR Art. 9(2)(a))
Blood Glucose	Yes		Enriched health analysis (if available)	Explicit consent (GDPR Art. 9(2)(a))
Body, Wrist, and Sleeping Wrist Temperature	Yes		Enriched temperature analysis (if available)	Explicit consent (GDPR Art. 9(2)(a))
Body Mass	Yes, on Apple Watch		Support workout energy calculations	Explicit consent (GDPR Art. 9(2)(a))
State of Mind and Wellbeing Score	Yes	Yes, State of Mind may be saved from Apple Watch guided relaxation flows	Mood and wellbeing correlation analysis (if available)	Explicit consent (GDPR Art. 9(2)(a))

Important: HealthKit data is stored by Apple on your device and in your personal iCloud account. SaunaTracker Pro accesses specific HealthKit data types only after you grant permission and only for the purposes described in this policy. If you enable Premium AI Coaching, the session metrics described below are transmitted to our backend and AI processor to generate coaching insights.

3.2 Account Information

When you sign in with Apple (Sign in with Apple / SIWA):

• Apple User ID (pseudonymized identifier)
• Email Address (only if you choose to share it; you may use Apple's private relay email)
• Name (only if you choose to share it)
• App Attest install identity (device/install-scoped identifier used for authentication, abuse prevention, and entitlement enforcement)

3.3 App Usage Data

• Workout Records created within the App (exposure type, duration, phases)
• HCEI Scores (Heat-Cold Exposure Index—our proprietary effectiveness metric)
• Goals and Preferences you set within the App
• User Profile information (age range, if provided for personalization)

3.4 Technical Data

• Device Information (device type, operating system version)
• App Version
• Device Attestation Data (used solely for security and fraud prevention; not personally identifying)

3.5 Analytics and Tracking

We may use Apple's built-in App Analytics to understand general app usage patterns (e.g., crash reports, aggregate feature usage). This data is anonymised by Apple and cannot identify individual users. We do not use any third-party analytics services.

3.6 Data We Do NOT Collect

• Location data
• Contacts or address book
• Photos or media
• Third-party analytics or tracking identifiers
• Advertising identifiers

4. How We Use Your Information

4.1 Primary Purposes

Purpose	Lawful Basis
Provide core App functionality	Contract performance
Record and display your workout sessions	Contract performance
Access HealthKit data for session tracking	Explicit consent as gateway
Calculate HCEI scores from health metrics	Contract performance
Sync data across your devices via iCloud	Contract performance
Authenticate your identity	Legitimate interest (security)
Provide AI-powered insights (Premium subscribers)	Explicit consent

4.2 AI Features (Premium Subscription Only)

If you are a Premium subscriber and opt in to AI features:

• Session metrics including duration, heart rate, HRV, SpO2, sleep quality, and HCEI are processed by our backend servers to generate personalized insights
• Those session metrics are sent to OpenAI's GPT-4o-mini model as our AI processor
• AI processing uses a pseudonymous device/account-scoped identifier for correlation. This identifier is not anonymous, but your name and email are not sent to OpenAI.
• Our backend processing is transient—we do not permanently store your health data on our servers
• You can disable AI features at any time while retaining your Premium subscription

AI Processing Limits:

• Your data is NOT used to train AI models by us; OpenAI API data is not used to train OpenAI models by default
• There is NO cross-user profiling—your data is processed individually for your insights only
• There are NO automated decisions with legal or significant effects—AI provides informational insights only
• AI insights are recommendations, not instructions, and do not constitute medical advice

4.3 What We Do NOT Do With Your Data

• We do NOT sell your personal information
• We do NOT share your data with advertisers
• We do NOT use your health data for purposes unrelated to App functionality
• We do NOT make automated decisions that significantly affect you without human oversight

5. How We Share Your Information

5.1 Apple Services

Service	Data Shared	Purpose	Role
iCloud (CloudKit)	App data	Cross-device sync	Data Processor (app data) / Independent Controller (iCloud account)
HealthKit	Health metrics	Read/write health data	Platform Provider
Sign in with Apple	Authentication tokens	Identity verification	Identity Provider
App Store	Purchase status	Subscription verification	Platform Provider

Note on Apple's Role: Apple acts as a data processor for app data stored in your iCloud private database, and independently as a controller for your iCloud account and platform services. Your iCloud data is protected by Apple's privacy practices and Data Processing Addendum.

5.2 Our Backend Services and AI Processor (Premium AI Features Only)

If you opt in to AI features, session data is transmitted to our backend infrastructure and AI processor:

• Provider: Amazon Web Services (AWS)
• Region: ap-southeast-2 (Sydney, Australia)
• Data Transmitted: Session metrics including duration, heart rate, HRV, SpO2, sleep quality, and HCEI
• Storage: Transient processing only; not permanently stored
• Protection: JWT authentication, TLS encryption in transit
• AI Processor: OpenAI, using GPT-4o-mini to generate AI Coaching insights. OpenAI may retain API abuse-monitoring logs for a limited period under its API data controls unless a shorter retention arrangement applies.

5.3 Third Parties We Do NOT Share With

• Advertising networks
• Data brokers
• Social media platforms
• Analytics providers
• Any third party for marketing purposes

6. Data Storage and Security

Data Type	Storage Location
HealthKit data	Your device + your iCloud; AI Coaching session metrics are separately processed as described above if you opt in
App data (workouts, goals)	Your device + your iCloud
Account credentials	Apple's systems
AI processing data	AWS ap-southeast-2 and OpenAI API processing (transient in our backend)

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS 1.3) and at rest, secure authentication via Sign in with Apple, and strict access controls on backend systems.

6.1 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority in accordance with applicable law (including GDPR 72-hour notification requirements and the Australian Notifiable Data Breaches scheme).

7. Data Retention

Data Type	Retention Period
Workout records	Until you delete them
Account information	Until you delete your account
Consent records	7 years after account deletion
Research export files	Deleted automatically after 30 days; deleted or redacted sooner when you delete your account
AI processing data	Not retained by our backend after transient processing; OpenAI API abuse-monitoring logs may be retained for a limited period under OpenAI's API data controls

You can delete your data at any time: individual workouts within the App, all App data by deleting your account in Profile settings, or HealthKit data via iOS Settings.

8. Your Rights

Regardless of your location, you have the right to:

• Access your personal data
• Correct inaccurate data
• Delete your data
• Export your data in a portable format
• Withdraw consent for optional processing

Additional rights apply under GDPR (EEA), the Australian Privacy Act, and CCPA (California). Contact us at privacy@saunatracker.pro to exercise your rights. We will respond within the timeframes required by applicable law (generally 30 days for GDPR and Australian Privacy Act requests, 45 days for CCPA requests).

9. Children's Privacy

You must be at least 17 years old to use SaunaTracker Pro. We do not knowingly collect personal information from anyone under 17. If you believe we have collected information from a child under the applicable age threshold, please contact us immediately at privacy@saunatracker.pro.

10. International Data Transfers

Your App data synced via iCloud is transferred according to Apple's practices, supported by Apple's Data Processing Addendum and Standard Contractual Clauses (SCCs) for transfers outside the EEA.

If you opt in to AI features, data is processed by our AWS infrastructure in ap-southeast-2 (Sydney, Australia) and by OpenAI as our AI processor. For EEA users, Standard Contractual Clauses are in place. A copy of the relevant safeguards is available upon request at privacy@saunatracker.pro.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and notify you through the App. For changes that materially affect how we process your personal data, we will require your affirmative re-acknowledgment.

12. Contact Us

If you have questions about this Privacy Policy or our data practices:

Privacy Officer: JDP Software Pty Ltd
Email: privacy@saunatracker.pro

13. HealthKit Compliance

Our use of HealthKit data complies with Apple's HealthKit guidelines: we only use HealthKit data for health and fitness purposes, we do not use it for advertising, we do not share it with third parties except as described in this policy, and we obtain explicit user consent before accessing HealthKit.