Privacy Policy - Habitly

1. Introduction

Habitly ("we", "our", or "the application") is committed to protecting the privacy of its users. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our mobile application.

By using Habitly, you accept the practices described in this policy. If you do not agree with this policy, please do not use the application.

2. Information We Collect

2.1 Account Information

When you create an account with email and password, we collect:

Username
Email address
Password (stored as a bcrypt hash; never in plain text)
Profile photo (optional)
Marketing consent (GDPR, disabled by default)

If you choose to sign in with Google:

Google ID (unique identifier)
Name associated with your Google account
Google email address

2.1.1 Guest Mode

If you choose to use the application as a guest:

We only collect a username
No email or password is required
A guest token is generated that allows migrating your data to a full account later
Guest mode has limited functionality (maximum 5 active habits)

2.2 Application Usage Information

To provide our services, we store:

Habits you create (name, frequency, goal, icon, color, duration, reminder time, scheduled days, pause state)
Habit completion logs (date, timestamp, local device time at completion, XP awarded)
Progress statistics (current and historical streaks, perfect days)
Experience level, XP points, and gamification system state
Unlocked achievements and unlock date
Freeze Day history (date of use, origin, streak and level at time of use)
Motivational quote preferences (favorites or hidden)
Custom motivational phrases you create (Premium feature)

The local time at which a habit is completed is used exclusively to evaluate "Early Bird" or "Night Owl" achievements; it is not tracked or shared with third parties.

2.3 Onboarding Preferences

During initial setup, you may optionally provide us with:

Primary goal for using the app
Preferred focus area
Experience level with habits
Preferred reminder schedule
Preferred motivation type

2.4 Technical and Device Information

For the application to work, we access:

Internet connection status
Device time zone and locale (language)
Notification settings and exact-alarm permissions
Local preferences (light/dark theme, language, habit order, sounds and haptics) stored on the device

2.5 Subscription and Purchase Information

If you purchase a premium plan through Google Play, we store:

Product identifier (e.g., monthly, yearly, or lifetime plan ID)
Subscription status and expiration date
Purchase token provided by Google Play (used to verify the purchase server-side)
Timestamps for grant events such as monthly freeze-day accruals

We do not receive or store payment-card numbers, bank-account information, or any other payment details. All payment processing happens within Google Play Billing.

2.6 Diagnostic and Error Data

We use Firebase Crashlytics to improve application stability. This service collects:

Error and crash reports
Device information (model, operating system)
Application state at the time of the error
Stack traces for diagnostics

This information is used exclusively to identify and fix technical errors. It does not include personally identifiable data.

3. How We Use Your Information

We use the collected information to:

Create and manage your user account
Enable tracking of your habits and sync them between your device and our servers
Calculate statistics, streaks, heatmaps, and personal progress
Send habit reminders (local device notifications)
Sync the day's habits with the Android home-screen widget
Provide the gamification system (XP, levels, achievements, freeze days)
Generate CSV or PDF exports of your data when you request them
Enable premium features and manage your subscription status
Diagnose and fix technical errors (see Firebase Crashlytics)
Respond to your support inquiries

We do NOT use your information to:

Display third-party advertising within the application
Sell or rent your data to third parties
Build behavioral profiles for marketing outside the application
Track your activity outside of Habitly

4. Storage and Security

4.1 Where We Store Your Data

Account data, habits, logs, and gamification data are stored in a PostgreSQL database on protected servers
Access and refresh tokens are saved encrypted in the device's secure storage (flutter_secure_storage)
Local preferences (theme, language, habit order, tutorials seen) are stored with SharedPreferences on the device
We do not store any local habit database: all operational information lives on the server and is fetched on demand

4.2 Security Measures

We implement the following protection measures:

Password hashing with bcrypt (passwords are never stored in plain text)
Encrypted communication via HTTPS/TLS
JWT-based authentication with short-lived access tokens (1h) and long-lived refresh tokens (45 days), with automatic rotation
Server-side input validation and sanitization, with rate limiting per IP and per user
Secure on-device credential storage

5. Third-Party Services

Habitly uses the following third-party services:

5.1 Google Sign-In

If you choose to sign in with Google, we use Google's authentication service. This information is subject to Google's Privacy Policy.

We only receive your name, email, and unique Google identifier. We do not access other data from your Google account.

5.2 Firebase Crashlytics (Google)

We use Firebase Crashlytics only in production builds to collect crash reports and help us improve stability. In development/debug builds, Crashlytics is disabled.

This service is subject to Firebase's Privacy Policy.

5.3 Google Play and Payment Processors

Subscriptions and in-app purchases are processed via Google Play Billing. Habitly does not receive or store credit card or payment data; it only receives a transaction identifier and subscription status from Google. This data is subject to Google's Privacy Policy.

6. Application Permissions

Habitly requests the following permissions:

Permission	Purpose
Internet	Sync data with the server
Notifications	Send habit reminders
Exact alarms (SCHEDULE_EXACT_ALARM)	Schedule reminders at the exact time you choose
Vibration	Haptic feedback when completing a habit (optional)
Photo / gallery access	Select profile photo (optional)
Battery optimization	Prevent the system from delaying or canceling reminders
Home-screen widget	Display the day's habits in an Android launcher widget
Storage (export)	Save and share the CSV/PDF files you export

All permissions are used exclusively for the stated purposes.

7. Sharing Information

7.1 With Other Users

Habitly does not currently include social features (friends, group challenges, or leaderboards). Your habit and progress data is private and visible only to you within your account.

7.2 Exports Initiated By You

When you use the data export feature, a CSV or PDF file is generated on your device and you can share it manually through the system share sheet. Habitly does not send these files to any server.

7.3 Legal Requirements

We may disclose information when required by law, a valid court order, or to protect the rights, property, or safety of Habitly, its users, or third parties.

7.4 We Do Not Sell Your Data

We never sell, rent, or share your personal information with third parties for commercial or marketing purposes.

8. Data Retention

We keep your data as long as your account is active.
If you delete your account from Profile → Settings → Delete Account, all related data (user, habits, logs, achievements, freeze days, quote preferences, and onboarding) is permanently deleted in cascade.
Guest accounts that are not migrated to a full account may be periodically deleted after a long period of inactivity.
Technical logs (server logs) are kept for a limited time for debugging and security purposes, and are subsequently rotated or deleted.

9. Your Rights

Depending on your jurisdiction (for example, if you reside in the European Union, United Kingdom, California, or Mexico), you have the right to:

Access: Request a copy of your personal data.
Rectification: Correct inaccurate information directly from the profile screen or by contacting us.
Deletion: Delete your account and all your data from Profile → Settings → Delete Account, or by requesting it by email.
Portability: Export your habits and logs in CSV or PDF format from Settings → Export Data.
Objection and withdrawal of consent: Withdraw marketing consent at any time from your account settings.

To exercise any of these rights, contact us via the email address listed in the Contact section. We will respond within the timeframes required by applicable law.

10. Children's Privacy

Habitly is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13 (or the equivalent minimum age required by local law, e.g., 16 in certain EU countries). If we discover that we have collected information from a minor without verified parental consent, we will take steps to delete that information without delay.

11. International Data Transfers

Habitly operates from Mexico and may process your data on servers located outside your country of residence. By using the application, you acknowledge that your data may be transferred and processed in jurisdictions with data protection laws different from those of your country. We apply reasonable contractual and technical measures to protect such transfers.

12. Changes to this Policy

We may update this Privacy Policy occasionally. We will notify you of significant changes through:

In-app notification
Updating the "Last updated" date

We recommend reviewing this policy periodically.

13. Contact

If you have questions about this Privacy Policy or about your personal data, you can contact us at:

Email: habitlyhq@gmail.com

Developer: Habitly

14. Consent

By using Habitly, you consent to the collection and use of information in accordance with this Privacy Policy.

Habitly Privacy Policy