HereNow Labs, Inc. ("Company", "we", "us", "our") operates the Corro mobile application and the website askcorro.com (collectively, the "Service"). This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the rights you have over your data.
Corro handles sensitive health data. We treat that data with heightened care — privacy-protective practices borrowed from healthcare contexts, even though Corro is not a HIPAA-covered entity.
2. Information We Collect
a) Apple Health Data (via HealthKit — with your explicit permission)
We read the following categories from Apple Health only when you grant permission for each category:
Workout metrics (duration, distance, calories, heart rate per workout) — to answer training load and activity questions
Steps, active energy, stand hours — to assess daily movement patterns
Heart rate, resting heart rate, heart rate variability (HRV) — to assess cardiovascular fitness and recovery
VO₂ Max estimate — to contextualize aerobic performance
Sleep duration and stages — to answer sleep quality and recovery questions
Weight, body fat %, BMI — to track body composition trends
Blood pressure and blood glucose — to provide context for cardiovascular and metabolic questions when present
Nutritional data (calories, protein, carbs, fat, water) — to answer nutrition and fueling questions
We never write data back to Apple Health. You can revoke any or all permissions at any time via iOS Settings → Health → Corro.
b) Account Information
Apple ID display name (provided by Apple Sign-In, only if you share it)
Authentication token (managed by Apple and Supabase Auth; not stored in plaintext by us)
Account creation timestamp
c) App Usage Data
Conversation history (your questions and Corro's responses)
App settings and preferences
Onboarding completion status
Subscription status (managed by RevenueCat)
d) Technical Data
iOS version and device model (for crash diagnosis only)
No advertising identifiers, no precise location data, no contacts
3. How We Use Your Information
We use your information exclusively to deliver the Corro service to you:
Assembling anonymized health summaries for AI coaching responses
Maintaining your conversation history across sessions
Processing subscription payments via RevenueCat and Apple App Store
Sending product communications (only if you opt in)
Detecting and preventing fraud and abuse
Complying with legal obligations
We do not use your health data to train AI models. We do not sell your data. We do not use your data for advertising.
4. How We Share Your Information
We share data only with the service providers necessary to operate Corro:
OpenAI, Inc. — Receives anonymized health metric summaries to generate AI responses. No raw personal identifiers, no Apple ID, no date of birth transmitted. OpenAI does not use API inputs to train its models. See OpenAI API data usage policy.
Supabase, Inc. — Database and authentication provider. Your data is stored with encryption at rest, Row Level Security, and hosted on AWS US-East infrastructure. See Supabase privacy policy.
RevenueCat, Inc. — Subscription and in-app purchase management. Receives only purchase receipt data, not health data. See RevenueCat privacy policy.
Apple, Inc. — Authentication (Apple Sign-In), App Store distribution, and HealthKit data access governed by Apple's privacy framework.
Legal and safety disclosures — We may disclose personal information if required by court order, subpoena, or applicable law, or to prevent imminent harm to any person.
Business transfer — In the event of a merger, acquisition, bankruptcy, or sale of assets, your data may be transferred. We will notify users and obtain consent as required by applicable law.
We do not sell, rent, or trade personal information to any third party. We do not share health data with advertisers or data brokers.
5. California Privacy Rights (CCPA/CPRA)
California residents have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
Right to Know: You may request disclosure of what personal information we collect, use, disclose, and sell about you. We will respond within 45 days.
Right to Delete: You may request deletion of your personal information. We will respond within 45 days. Limited exceptions apply (legal obligations, fraud prevention, service integrity).
Right to Correct: You may request correction of inaccurate personal information we hold about you.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information for advertising or cross-context behavioral advertising. No action is required to exercise this right.
Right to Limit Use of Sensitive Personal Information: Health data is a sensitive category under CPRA. You may request that we limit our use of your health data to only what is strictly necessary to deliver the Service.
Right to Non-Discrimination: We will not deny service, charge different prices, or provide a lesser level of service because you exercised any privacy right.
To exercise these rights, email privacy@askcorro.com with the subject line "Privacy Rights Request." We will verify your identity via Apple ID account match before processing deletion or correction requests. We will respond within 45 days; if we need additional time we will notify you and may take up to an additional 45 days.
You may also contact the California Privacy Protection Agency at cppa.ca.gov.
6. State Health Data Privacy
Residents of Washington, Nevada, New York, and other states with dedicated health data privacy laws have additional rights consistent with those laws, including the right to access, delete, correct, and opt-in consent for sharing of health data. Corro treats all health data as sensitive regardless of whether your state's law requires it.
7. Data Retention
Data Type
Retention Period
Health data (HealthKit)
2 years from collection, or until you delete your account
Conversation history
2 years, or until you delete your account
Account and settings
Until account deletion
Subscription and payment records
7 years (tax and legal requirement)
Crash and technical logs
90 days
Upon account deletion (Settings → Data & Privacy → Delete My Account): all health data and conversation history are permanently deleted within 30 days. Payment records are retained for 7 years as required by law.
8. Data Security
Encrypted in transit via TLS 1.2+
Encrypted at rest via AES-256 (Supabase on AWS)
Row Level Security: database-level enforcement prevents any user from accessing another user's rows
No employee access to individual health records without bypassing security controls
Regular security reviews
If a data breach affects your personal information, we will notify you within 30 days as required by California law (Civil Code § 1798.82). If a breach affects more than 500 California residents, we will also notify the California Attorney General.
9. Children's Privacy
Corro is intended for users 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account or used the Service, contact privacy@askcorro.com and we will delete the account and associated data within 10 business days.
10. Third-Party Links
The Service may reference or link to external websites or resources. We are not responsible for the privacy practices or content of those third-party sites.
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy via in-app notification or email at least 30 days before changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy. If you do not accept the changes, you must stop using the Service and may request account deletion.