Privacy Policy

Welcome to Habictive ("we," "us," or "our"). We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use the Habictive website at habictive.com and the services we provide (collectively, the "Service"). It also describes your rights regarding your personal data and how you can exercise them.

This policy applies to all users of the Service, regardless of location. We comply with the EU General Data Protection Regulation (GDPR), and we extend GDPR-level protections to all our users worldwide.

The data controller responsible for your personal data is:

• Business entity: FOP Yaroslav Kryvenko (sole proprietor under Ukrainian law)
• Location: Kyiv, Ukraine
• Contact email: info@habictive.com

If you have any questions about how we process your personal data or wish to exercise your rights, please contact us at the email address above.

We use the information we collect for the following purposes:

• Providing the Service: To create and manage your account, track your habits, calculate streaks, generate statistics, and deliver your personalized habit system.
• Improving the Service: To analyze usage patterns (in aggregate, anonymized form) to improve features, fix bugs, and enhance the overall user experience.
• Processing payments: To manage your subscription, process payments through Paddle (our Merchant of Record), and maintain accurate billing records.
• Transactional communications: To send you essential emails related to your account, including account confirmation, password reset, subscription confirmations, and payment receipts.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and technical issues.
• Legal compliance: To comply with applicable legal obligations, such as tax reporting and responding to lawful requests from authorities.

We do NOT send marketing or promotional emails without your explicit opt-in consent. You will never receive unsolicited marketing from us unless you have specifically opted in to receive such communications.

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

• Contract performance (Article 6(1)(b) GDPR): Processing your account data, usage data, and payment data is necessary to perform our contract with you (the Terms of Service) and provide the Service you have requested.
• Legitimate interests (Article 6(1)(f) GDPR): We process technical data and aggregated usage analytics based on our legitimate interest in maintaining the security, stability, and performance of the Service, and in improving the user experience. These interests are balanced against your rights and do not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a) GDPR): Where we process data based on your consent (such as optional marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Legal obligation (Article 6(1)(c) GDPR): We may process certain data to comply with legal obligations, such as retaining payment records for tax and accounting purposes.

We share your personal data only with the following third-party service providers, solely for the purposes of operating and delivering the Service:

We do NOT sell, rent, or trade your personal data to any third party for marketing, advertising, or any other commercial purpose.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account and usage data: Retained for as long as your account is active. If you delete your account, all personal data (including habits, completions, streaks, quiz responses, and profile information) will be permanently deleted from our systems within 30 days of your deletion request.
• Payment records: Subscription and transaction records are retained for a minimum of 7 years after the transaction date, as required by Ukrainian tax legislation and international accounting standards.
• Technical logs: Server logs containing IP addresses and technical data are retained for no longer than 90 days and are then automatically purged.
• Backups: Encrypted database backups may contain your data for up to 30 days after account deletion. After this period, all backup copies containing your data will be overwritten through the regular backup rotation cycle.

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

• Right to access (Article 15 GDPR): You have the right to request a copy of the personal data we hold about you and information about how it is being processed.
• Right to rectification (Article 16 GDPR): You have the right to request correction of any inaccurate personal data we hold about you, or to have incomplete data completed.
• Right to erasure (Article 17 GDPR): You have the right to request deletion of your personal data. You can delete your account at any time through the app settings, and all associated data will be removed within 30 days.
• Right to data portability (Article 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to object (Article 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to restrict processing (Article 18 GDPR): You have the right to request restriction of processing of your personal data in certain circumstances.
• Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing prior to withdrawal.

How to exercise your rights: To exercise any of these rights, please contact us at info@habictive.com. We will respond to your request within 30 days. If we need additional time, we will inform you within the initial 30-day period. You also have the right to lodge a complaint with a supervisory authority if you believe your rights have been violated.

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it:

• Row Level Security (RLS): Our Supabase database uses Row Level Security policies, ensuring that each user can only access, modify, and delete their own data at the database level.
• Encrypted connections: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. All connections to our database and third-party services are also encrypted.
• Secure authentication: Passwords are securely hashed and salted. We support OAuth-based authentication through Google for additional security. Authentication sessions are managed with secure, HTTP-only cookies.
• Regular security reviews: We conduct regular reviews of our security practices, dependencies, and infrastructure to identify and address potential vulnerabilities.
• Access controls: Access to production data is strictly limited and protected by multi-factor authentication.

While we implement commercially reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

Your personal data may be transferred to, stored, and processed in countries outside of your country of residence, including the United States, where our infrastructure providers (Supabase, Vercel, and Paddle) operate servers.

When your data is transferred outside the European Economic Area (EEA), we ensure that adequate safeguards are in place to protect your data, including:

• Our service providers maintain compliance with applicable data protection frameworks
• Standard contractual clauses (SCCs) approved by the European Commission are in place where applicable
• Data processing agreements with all third-party providers that mandate appropriate security and privacy measures

By using the Service, you acknowledge that your data may be processed in the United States and other countries where our service providers operate.

The Service is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, please do not create an account or submit any personal data through the Service.

If we become aware that we have collected personal data from a child under 16, we will take immediate steps to delete such data from our systems. If you believe that a child under 16 has provided us with personal data, please contact us at info@habictive.com so we can take appropriate action.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will:

• Update the "Last updated" date at the top of this page
• Notify registered users via email about material changes at least 14 days before they take effect
• For significant changes that affect how we collect, use, or share your data, provide at least 30 days' notice

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Business entity: FOP Yaroslav Kryvenko
• Location: Kyiv, Ukraine
• Email: info@habictive.com
• Website: habictive.com

We aim to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.