Privacy Policy

[ Questions?
Missions?
Let’s talk. ]

HeartHero, Inc. ("HeartHero," "we," "us," or "our") collects, uses, shares, and protects personal data and data generated by our products and services, including the Elliot Automated External Defibrillator (AED), its associated Mobile App, and Cloud Software. This Privacy Notice and Cookie Policy explains our practices in compliance with applicable data protection laws, including those in the EU, UK, US, and Australia. We act as the data controller for the personal data we process.

Our contact details are:

HeartHero, Inc.
3200 Cherry Creek S Drive, Suite 470
Denver, CO 80209, USA
Email:

What Data We Collect

We collect the following personal data:

  • User Profile and Account Data: Information you provide during registration, such as email address, password (hashed), name (optional), and contact details.
  • Health Data: During sudden cardiac arrest (SCA) treatments, the device collects ECG recordings, shock delivery details, event timelines, and CPR metrics.
  • Location Data: GPS coordinates from the device during self-tests or treatments, aggregated where possible.
  • Device and Usage Data: Logs including self-test results, battery/pad status, connectivity issues, and app interactions.
  • Voluntary Feedback: Responses to surveys, in-app messages, or post-event reports, which may include outcome data.
  • Technical Data: IP addresses, device identifiers, and audit logs for security.

We collect data directly from you (e.g., via app registration), automatically from the device (e.g., during SCA events), or from third parties (e.g., emergency medical services).

How We Use Your Data

We use your data for:

  • Service Provision: Operating the Elliot AED for SCA treatment.
  • Device Maintenance: Performing self-tests and updates.
  • Safety Monitoring: Analyzing data for device safety and performance.
  • Compliance: Meeting legal and regulatory obligations.
  • Feedback: Improving our products with your consent.

We do not use data for marketing without your explicit consent.

How We Share Your Data

We share data with:

  • Service Providers: Companies like Amazon Web Services (AWS) for storage, bound by contracts ensuring data protection.
  • Emergency Services: EMS partners for treatment coordination, under strict agreements.
  • Authorities: For regulatory reporting (e.g., medical device safety).

We do not sell your personal data.

International Data Transfers

As a US-based company, we may transfer data from other countries to the US. We ensure safeguards through:

  • Certification under the EU-US Data Privacy Framework (DPF) and UK Extension.
  • Contracts with standard clauses for additional protection.
  • Encryption and other security measures.

Data Retention

We keep data only as long as needed:

  • Treatment data: 10 years for safety monitoring.
  • Account data: 10 years from last activity.

Data is securely deleted afterward.

Cookies and Similar Technologies

We use cookies and similar technologies (e.g., device identifiers) in the Mobile App to enhance functionality, security, and user experience:

  • Essential Cookies: Required for core app functions (e.g., secure login, device pairing), used without consent but disclosed for transparency.
  • Analytics/Performance Cookies: Monitor app performance (e.g., usage, errors), requiring your consent.
  • Preference Cookies: Store your settings (e.g., notifications), requiring your consent.

For non-essential cookies, we obtain your explicit consent via a banner during app onboarding, with options to accept, reject, or customize. You can manage cookies anytime via app settings or by contacting . We use AWS for analytics, bound by strict contracts. Cookie data is retained up to 2 years and secured with encryption.

Data Security

We protect your data with:

  • Encryption for data at rest and in transit.
  • Access controls and regular audits.
  • Prompt breach response, with notifications if required.

Your Data Protection Rights

You have the right to:

  • Access: See what data we hold about you.
  • Rectification: Correct inaccurate data.
  • Erasure: Delete your data, subject to legal exceptions.
  • Restriction: Limit how we use your data.
  • Portability: Receive your data in a usable format.
  • Objection: Object to certain uses.
  • Withdraw Consent: At any time.

To exercise these rights, contact privacy@hearthero.com. We respond within 30 days (or 45 days for US requests). Verification may be required.

Your State-Specific Rights

If you are a resident of certain US states, you may have additional rights under applicable state privacy laws, including but not limited to the California Consumer Privacy Act (CCPA, as amended by CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act (MTCDPA), Iowa Consumer Data Protection Act (ICDPA), Delaware Personal Data Privacy Act (DPDPA), Tennessee Information Protection Act (TIPA), Indiana Consumer Data Protection Act (INDCDPA), and similar laws in other states (collectively, "State Privacy Laws"). These laws may provide rights to:

  • Know/Access: Request details about the personal data we collect, use, share, or sell (we do not sell your data). This includes categories like user profiles (e.g., email, name), health data (e.g., ECG recordings from SCA treatments), location data (e.g., GPS during events), and device logs.
  • Correct: Update inaccurate personal data.
  • Delete: Request deletion of your personal data, subject to exceptions (e.g., for regulatory compliance like PMS/PMCF safety monitoring).
  • Opt-Out: Opt out of targeted advertising, profiling, or sharing of personal data (we do not engage in "sales" as defined under CCPA). We honor global opt-out signals like Global Privacy Control.
  • Sensitive Data Limits: For sensitive data (e.g., health metrics like CPR details or precise location), we limit processing to essential purposes (e.g., device functionality) and require opt-in consent where applicable.
  • Non-Discrimination: We will not discriminate against you (e.g., deny services or charge differently) for exercising these rights.

To exercise these rights, submit a verified request via or the Mobile App settings. We respond within 45 days (or as required by law) and may require identity verification. Authorized agents can submit on your behalf with proof of authorization. If we deny your request, you can appeal by replying to our response email. For more details on data categories, purposes (e.g., service provision, safety monitoring), and sharing (e.g., with service providers like AWS under strict contracts), contact .

We monitor and update for new State Privacy Laws to ensure ongoing compliance.

Children’s Data

For children under 16 (EU), 13 (UK), or 13 (US), we obtain parental consent for non-emergency data (e.g., app registration) via app verification or email. Emergency health data (e.g., ECG during SCA) is processed without consent to protect lives, with parents notified afterward. Parents can access, delete, or restrict data via privacy@hearthero.com.

Complaints

If you have concerns, contact our Data Protection Officer at privacy@hearthero.com. You can also complain to:

  • Irish Data Protection Commission (www.dataprotection.ie) for EU issues.
  • UK Information Commissioner’s Office (www.ico.org.uk) for UK issues.
  • California Privacy Protection Agency (www.cppa.ca.gov) for California issues.
  • Federal Trade Commission (www.ftc.gov) for US children’s data.
  • Office of the Australian Information Commissioner (www.oaic.gov.au) for Australian issues.

Changes to This Policy

We may update this policy to reflect changes in our practices or laws. We will notify you via email or in-app notices for significant changes. Continued use constitutes acceptance. Check the Effective Date above for the latest version.

Contact Us

For questions, contact our Data Protection Officer at .