Plain English first. We've written this policy to be clear and direct. Every section starts with a plain-language summary before the full detail. If you have questions, contact us anytime.
Section 01
Information We Collect
We collect only what's necessary to deliver and improve HabitFlow. We never sell your data or collect information for purposes beyond what's described here.
| Data Type | Examples | Why We Collect It |
|---|---|---|
| Account Information | Name, email address, profile photo | Create and manage your account |
| Habit Data | Habit names, completion logs, streaks, notes | Core app functionality and progress tracking |
| Usage Data | Feature interactions, session duration, app events | Improve app performance and user experience |
| Device Information | OS version, device model, app version | Diagnose bugs and ensure compatibility |
| Payment Info | Billing address, last 4 digits of card | Process subscriptions (handled by Stripe) |
| Communications | Support messages, feedback submissions | Respond to your inquiries |
Information you provide directly
When you create an account or use HabitFlow, you actively provide us with information such as your name, email, and the habits you choose to track. This data lives at the core of the app and is always under your control.
Information collected automatically
We automatically collect certain technical data when you use the app — such as which features you use, crash reports, and performance diagnostics. This data is anonymised and aggregated wherever possible.
Information we do NOT collect
- Health or medical records (habit data is not treated as health data)
- Location data (we never request or store your GPS position)
- Contacts, photos, or microphone/camera access unless you explicitly grant it for profile photos
- Biometric identifiers of any kind
Section 02
How We Use Your Data
Your data has a purpose — and that purpose is you. We use the information we collect strictly to operate, improve, and personalise HabitFlow for your benefit.
Core purposes
- Delivering the service — syncing your habits, streaks, and reminders across your devices
- Personalisation — tailoring your dashboard, insights, and suggestions based on your tracked habits
- Notifications — sending reminders at times you configure (you can disable these at any time)
- Support — responding to your questions, troubleshooting issues you report
- Security — detecting and preventing fraudulent or abusive account activity
Product improvement
We analyse anonymised, aggregated usage patterns to understand how people use HabitFlow and where we can do better. No individual's data is ever examined in this context — only group-level, de-identified trends.
Legal basis (GDPR users)
For users in the European Economic Area, we process your personal data under the following lawful bases: contract performance (delivering the app you signed up for), legitimate interests (improving security and app quality), and consent (marketing communications, which you can withdraw at any time).
We never use your data for advertising. HabitFlow does not display third-party ads, and we do not sell, rent, or license your data to advertisers or data brokers — ever.
Section 03
Data Storage & Security
We take security seriously and apply industry-standard protections to your data — both in transit and at rest.
Where your data is stored
HabitFlow's servers are hosted on Google Cloud Platform infrastructure in the United States and European Union. If you're located in the EU, we route your data to EU-based servers by default to comply with GDPR data residency requirements.
Security measures
- All data transmitted between your device and our servers is encrypted using TLS 1.3
- Data at rest is encrypted using AES-256 encryption
- Access to production systems is restricted to authorised personnel only, using multi-factor authentication
- We conduct regular third-party security audits and penetration testing
- Your password is hashed using bcrypt — we never store it in plain text
- We maintain an incident response plan and will notify you within 72 hours of any breach that affects your data
Offline & local data
Some habit data may be stored locally on your device for offline access. This local data is protected by your device's built-in encryption and access controls. We do not have access to data stored only on your device that has not yet synced to our servers.
Section 04
Sharing & Third Parties
We share your data only with trusted service providers who help us operate HabitFlow, and only to the extent necessary for them to perform their specific function.
Our service providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Google Cloud | Infrastructure & hosting | All app data (encrypted) |
| Stripe | Payment processing | Billing information only |
| Firebase | Push notifications | Device token, notification payload |
| Sentry | Crash reporting | Anonymised error logs |
| Intercom | Customer support | Name, email, support messages |
We never share your data for:
- Advertising or marketing by third parties
- Sale to data brokers or analytics companies
- Law enforcement purposes, except when legally compelled by a valid court order (we will notify you when legally permitted to do so)
Business transfers
If HabitFlow is acquired by or merged with another company, your data may be transferred as part of that transaction. We will notify you by email and through the app before your data becomes subject to a different privacy policy, giving you the opportunity to delete your account.
Section 05
Your Rights & Choices
You have meaningful control over your data. The following rights apply to all users — and we make them easy to exercise directly from the app settings.
Access
Request a full copy of all personal data we hold about you, including your habits history, exported as JSON or CSV.
Correction
Update or correct any inaccurate personal information directly within the app's account settings at any time.
Deletion
Delete your account and all associated data permanently. Deletion is irreversible and completed within 30 days.
Portability
Export all your habit data in a machine-readable format (JSON or CSV) from Settings → Export Data anytime.
Opt-Out
Withdraw consent for marketing emails or analytics collection at any time — no justification required.
Restriction
Request that we restrict processing of your data while a dispute about accuracy or legal basis is being resolved.
To exercise any right, go to Settings → Privacy in the app, or contact our privacy team. We respond to all requests within 30 days (GDPR requirement). California residents have additional rights under CCPA — including the right to know about data sold (we don't sell any) and the right to non-discrimination.
Section 06
Data Retention
We keep your data for as long as your account is active, or for as long as needed to provide the service. We apply specific retention periods for different categories of data:
- Active account data — retained for the lifetime of your account and deleted within 30 days of account closure
- Backup copies — purged within 90 days of account deletion from all backup systems
- Payment records — retained for 7 years to comply with financial regulations
- Support communications — retained for 3 years for quality assurance purposes
- Anonymised usage analytics — retained indefinitely (no personal information is included)
When you delete individual habits or logs within the app, that data is removed immediately from what you can see and is purged from our databases within 14 days.
Section 07
Children's Privacy
HabitFlow is not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages.
If you are a parent or guardian and believe your child has provided personal information to HabitFlow without your consent, please contact us immediately. We will take prompt steps to delete that information from our systems.
Users between the ages of 13 and 18 should use HabitFlow only with parental consent. We encourage parents to review this policy with their children and discuss safe digital habits.
Section 08
Cookies & Tracking
The HabitFlow mobile app does not use browser cookies. However, our website and web-based dashboard do use a minimal set of cookies and similar tracking technologies.
Cookies we use on our website
- Essential cookies — required for authentication and session management. Cannot be disabled.
- Preference cookies — remember your theme preference (light/dark mode) and language setting.
- Analytics cookies — anonymised usage data via a self-hosted, GDPR-compliant analytics tool. You can opt out in Cookie Settings.
What we do not use
- Third-party advertising cookies
- Cross-site tracking pixels
- Social media tracking scripts
- Fingerprinting or device recognition techniques
You can manage cookie preferences at any time through the Cookie Settings link in the footer of our website, or through your browser settings.
Section 09
Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we'll let you know in a meaningful way — not just a buried footer update.
How we notify you of changes
- Material changes — we will send you an email notification at least 30 days before the change takes effect, and display an in-app banner
- Minor changes — we will update the "Effective date" at the top of this page and post a brief changelog below
- Continued use — using HabitFlow after a change becomes effective constitutes your acceptance of the revised policy
We keep previous versions of this policy archived. If you'd like a copy of a prior version, contact us and we'll provide it within 5 business days.
Section 10
Contact Us
Questions about this policy, requests to exercise your rights, or concerns about how we handle your data — our privacy team is here to help and typically responds within 2 business days.