PRIVACY

Your Data Is Yours

HEKA is built on a local-first principle. By default, everything lives on your device. We cannot see it, sell it, or lose it. You choose when — and if — anything leaves your hands.

I. THE LOCAL-FIRST OATH

Data Storage

By Default, Everything Is Local

Your notes, journal entries, birth charts, tracker data, and app preferences are stored in an IndexedDB database on your device using the Dexie.js library. This is a structured, persistent database that survives browser restarts and app updates. We cannot access this data. We do not back it up. It cannot be recovered if you lose your device unless you have enabled cloud sync or performed a manual export.

Data Type Purpose Storage
Daily Notes Calendar day notes with categories and timestamps Device Only
Journal Entries Oracle Journal entries with markdown, tags, mood, revision history (up to 50 per entry) Device Only
Journal Attachments Images, audio recordings, and files attached to journal entries Device Only
Birth Charts Astrological profiles, natal charts, and transit calculations Device Only
Daily Oracle Cards Generated oracle cards, celestial snapshots, and draw history Device Only
Reflection Data Daily mood, rest quality, vitality, and custom journal reflections Device Only
App Settings Theme, location, zodiac preferences, notification settings, language Device Only
Notifications Task reminders, celestial alerts, tracker reminders, daily reflections Device Only
Search Index Full-text search index of journal entries for fast lookup Device Only
PDF Export Print-to-PDF feature output (generated locally) Device Only
Community Voting Feature requests, holiday submissions, energy voting Cloud (with UID)
Social Data Friends, messages, task shares, online presence (if using Cosmic Circle) Cloud (encrypted)
Crash Analytics App stability diagnostics and error reports Cloud (anonymous)
II. YOUR RIGHTS

GDPR & CCPA Compliance

Access
Export all your data as JSON at any time — journal entries, birth charts, tracker history, settings, and achievements
Deletion
Erase all data permanently from device and cloud with one action
Portability
Import and export JSON to transfer your data between devices or systems
III. WHAT WE COLLECT & WHY

Data Categories

📓 Journal & Notes

Calendar notes and Oracle Journal entries including text (plain or markdown), tags, mood ratings, timestamps, and revision history. Stored in IndexedDB with a full-text search index. AI insights are generated using template-based analysis by default. Optional LLM enhancement sends entry context to your chosen provider only when explicitly enabled.

🌙 Daily Oracle

One card per day is generated from a real-time celestial snapshot (moon phase, planetary positions, retrogrades, dominant element) computed on-device using Swiss Ephemeris. If you have a birth chart, a personalized note connects the card to your natal Sun sign. Cards and draw history are stored locally in IndexedDB.

📊 On-Device Analytics

Tutorial progress, onboarding funnel completion, and pattern recognition events are tracked strictly on-device to improve the user experience. These analytics are never transmitted to external servers. We do not use Google Analytics, third-party advertising, behavioral tracking cookies, or device fingerprinting.

IV. HEALTH & WELLNESS DATA

Sensitive Tracking

HEKA includes comprehensive wellness tracking that may record health-sensitive information. All tracker data is stored locally on your device by default. If you enable cloud synchronization, this data is encrypted before transmission and stored in Firebase.

Reflection categories include: daily reflection (1-10 rating, emotional tone, triggers), rest (duration, quality, factors), vitality (energy level, type), and custom user-defined reflections.

On-device insights: Cycle predictions, fertility windows, PMS predictions, symptom patterns, and health alerts are generated entirely on your device using local algorithms. No health data is sent to external servers for analysis.

V. ARTIFICIAL INTELLIGENCE

LLM Processing

HEKA offers optional AI-powered features that use external Large Language Models (LLMs). AI enhancement is entirely opt-in and disabled by default. Without enabling it, all insights, coaching, and analysis use on-device template-based generation — no data leaves your device.

When AI is enabled, you provide your own API key for one of the following providers: Groq, OpenAI, Anthropic, or a self-hosted Ollama instance. The following contextual data may be sent to your chosen provider to generate personalized insights:

  • Celestial state and transit summary for the current date
  • Your archetype and general mood tone (if available)
  • Pending tasks and task completion count
  • Writing streak and recent journal activity summary
  • Location (for planetary hour and sun time calculations)
  • Zodiac preferences (tropical/sidereal, 12/13 signs)

We do not store or log your API keys. They are saved in your device's secure storage. LLM responses are cached in memory for up to 4 hours to reduce API calls. Sentiment analysis of journal entries is performed entirely on-device using a local lexicon — no text is transmitted for this purpose.

VI. DAILY ORACLE

Celestial Features

The Daily Oracle generates one personalized card per day based on a real-time celestial snapshot. Planetary positions, moon phase, retrogrades, and dominant elements are computed on-device using Swiss Ephemeris WASM. No astronomical data is transmitted to external servers.

Weather data is fetched from Open-Meteo (open-meteo.com) using your latitude and longitude. Sunrise and sunset times are fetched from NOAA Sunrise-Sunset (sunrise-sunset.org) using the same location. These services receive only coordinates — no identifying information.

Location: Your location is stored locally and used for astronomical calculations, weather, and sun times. It is never shared with third parties beyond the coordinate-based API calls described above.

VII. SOCIAL FEATURES

Cosmic Circle

The Cosmic Circle enables social features including friend connections, messaging, task sharing, and collaborative rituals. Social data is stored in Firebase Firestore and requires cloud sync to be enabled.

What is stored: Friend profiles and friendship connections, direct messages, shared tasks and task rituals, online presence and last-active status, invite codes and deep links, community holiday submissions, and feature voting (both associated with your Firebase Auth UID).

Shared tasks create public Firestore documents accessible via share code. They include the task details and creator display name. Energy voting uses a locally-generated device ID for anonymous daily participation.

VIII. CONTENT SAFETY

Crisis Detection

To help protect user safety, journal entries are scanned on-device for crisis indicators including references to self-harm, suicide, severe depression, and violence. This scanning uses a local keyword list and occurs entirely on your device — no journal text is transmitted for this purpose.

If concerning language is detected, the app displays local support resources such as the 988 Suicide & Crisis Lifeline and Crisis Text Line. No alerts are sent to us or any third party. This is a user-safety feature designed to provide immediate access to help.

IX. THIRD-PARTY SERVICES

External Providers

🔭 Swiss Ephemeris

Astronomical calculations run entirely on your device via WASM. No birth chart data, location, or personal information is transmitted for astrological computation.

🌤️ Open-Meteo

Weather data is fetched from open-meteo.com using your latitude and longitude. No API key is required. No identifying information is transmitted.

🌅 NOAA Sunrise-Sunset

Sun rise and set times are fetched from sunrise-sunset.org using your coordinates. No identifying information is transmitted.

🤖 LLM Providers (Opt-In Only)

Groq, OpenAI, Anthropic, or Ollama — only when you enable AI and provide your own API key. Data is sent directly to your chosen provider. We are not an intermediary.

🔥 Firebase (Google)

If you enable cloud sync, encrypted data is stored in Firebase Firestore. Firebase Crashlytics is used for anonymous crash reporting. Encryption keys are generated and stored on your device.

🔤 Google Fonts

The Print-to-PDF feature loads Playfair Display and other fonts from Google's CDN (fonts.googleapis.com) for styled PDF output.

X. NO TRACKING

What We Don't Do

We Don't Use:

  • Google Analytics
  • Third-party advertising
  • Behavioral tracking cookies
  • Device fingerprinting
  • Selling your data

Network Requests:

  • 1.App updates (manual)
  • 2.Cloud sync (if enabled)
  • 3.Weather & sun times (coordinate-only)
  • 4.LLM APIs (opt-in only, your key)
  • 5.Community & social (if enabled)
XI. CHILDREN'S PRIVACY

Age Requirements

HEKA is not directed to children under 13 years of age. We do not knowingly collect, use, or disclose personal data from children. The app contains wellness tracking features that are intended for adult users. If you believe a child has provided personal information through our services, please contact us immediately for deletion.

XII. INTERNATIONAL DATA

Cross-Border Transfers

By default, all data remains on your device in your jurisdiction. If you enable cloud synchronization, encrypted data may be stored on Firebase servers located in your region. For any transfer outside the European Economic Area, we utilize EU Standard Contractual Clauses and maintain appropriate safeguards.

XIII. CHANGES TO THIS POLICY

Updates

We may update this privacy policy from time to time to reflect changes in our practices, features, or legal requirements. We will notify you of significant changes through the app or via email if you have provided one. Continued use of HEKA after changes constitutes acceptance of the updated policy.

XIV. CONTACT

Questions?

[email protected]

Last Updated: May 7, 2026