Privacy Policy

1. Account Information

When you create an account, we collect:

• Email address: Required for account creation (optional for Apple Sign-In users as a privacy feature)
• Username: Required, unique identifier
• Password: Stored securely using industry-standard encryption. Apple Sign-In users do not need to set a password
• Full name: Optional
• Phone number and country code: Optional
• Identity statement: Optional (user-defined text describing the person you strive to be)
• Apple User ID: If you sign in with Apple, we collect your Apple User ID to link your account

2. Habit Tracking Data

To provide our core habit tracking functionality, we collect:

• Habit information: Titles, descriptions, categories, tracking types, measures/units, priority levels, colors, emojis, and whether the habit is positive or negative (quit habit)
• Habit entries: Daily performance data, dates, completion amounts/times, associated notes, references to habits, targets, goals, and users, and optional photos or image references you attach to entries (e.g., Photo Log)
• Target data: Habit targets, timeframes (daily, weekly, custom intervals), schedules, date ranges, and completion status
• Goals and milestones: Goal titles, descriptions, targets, completion status, associated milestones, and linked habits
• Streak information: Current and longest streaks for each habit
• Achievement data: Achievement history, unlocked levels, achievement dates, and associated habit information
• Archived habits: Habits that have been archived but not deleted

3. Onboarding Information

During the onboarding process, we collect:

• User preferences: Answers to onboarding questions (multiple choice selections and free text responses)
• Selected options: Your choices during the onboarding flow
• AI-generated habit suggestions: When you complete onboarding, we may send your answers and profile information to our AI provider (OpenAI) to generate personalized habit suggestions. You can still build habits manually if you prefer not to rely on those suggestions.

4. Notification Preferences

We collect your notification settings including:

• Global notification preferences: Enabled/disabled status
• Quiet hours: Start and end times
• Notification types: Sound, vibration, badge count preferences
• Reminder settings: Streak reminders, weekly summaries, achievement notifications, motivational messages, and reminder if missed
• Per-habit notification preferences: Custom notification times and settings for individual habits

5. Usage and Performance Data

We automatically collect:

• Experience points: Gamification points earned through habit completion
• Level information: User level, current level XP, next level XP, and progression data
• Statistics: Performance metrics, completion rates, daily scores, longest streaks by habit, and time-based analytics
• Habit sort order: Your preferred sorting method for habits

6. Authentication Data

• Authentication tokens: Stored securely on your device using encrypted storage for authentication purposes
• Apple identity tokens: Used for Apple Sign-In authentication and verification
• Google tokens: If Google Sign-In is enabled (currently disabled in the app)

7. Device and Technical Information

• Device identifiers: Through Adapty (subscription management service), though we have configured Adapty to disable IP address collection and Apple IDFA collection where possible
• App version: For compatibility and support purposes

8. Guest Account Data

If you use the App as a guest:

• Temporary username: Auto-generated temporary identifier
• Temporary email: Auto-generated temporary email address
• Onboarding data: Your onboarding responses and suggested habits
• Habit data: Any habits created during guest usage

Guest accounts can be converted to permanent accounts through email verification or with Apple Sign In.

9. Website usage (galbit.app)

When you visit our Website, we and our analytics vendors may collect information automatically through cookies and similar technologies, including:

• Google Tag Manager: Loads and coordinates marketing and analytics tags (container ID GTM-NXWQN48F)
• Google Analytics: Usage data such as pages viewed, approximate location (region), device type, browser, and referral information (measurement ID G-WBHSTDPYN9)

This Website data is generally not linked to your App account unless you are signed in on a page that explicitly ties them together (the marketing site does not require an App login). For more on how Google uses data, see Google's policies. You can control cookies through your browser settings where available.

Local Storage

• Secure Storage: Authentication tokens are stored using encrypted storage on your device
• Local Preferences: Notification preferences and habit sort order are stored locally on your device for quick access

Cloud Storage

Your data is stored on secure servers:

• Database: MongoDB Atlas (cloud database service)
• Backend API: Hosted on Render.com
• Data Transmission: All data transmission uses HTTPS encryption

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption: Data in transit is encrypted using industry-standard encryption protocols
• Password Security: Passwords are encrypted and never stored in plain text
• Authentication: Secure authentication mechanisms with token expiration
• Access Controls: Our systems require authentication for access to user data
• Secure Storage: Sensitive data is stored using encrypted storage

Data Retention

• Active Accounts: We retain your personal information for as long as your account is active and you use our services
• Deleted Accounts: When you delete your account, we will delete or anonymize your personal information, except where we are required to retain it for legal or legitimate business purposes (e.g., transaction records)
• Guest Accounts: Guest account data may be deleted if not converted to a permanent account within a reasonable period

1. Adapty (Subscription Management)

• Purpose: Manages in-app subscriptions and purchases
• Data Collected: Purchase transaction data, subscription status, user identification (user ID)
• Privacy Settings: We have configured Adapty to disable IP address collection and Apple IDFA collection where possible
• Privacy Policy: https://adapty.io/privacy/
• Note: Adapty is only activated on mobile platforms (iOS/Android), not on web

2. Apple Sign-In

• Purpose: Authentication service allowing you to sign in with your Apple ID
• Data Collected: Apple User ID, email (optional - you can choose to hide your email), full name (if provided)
• Privacy Features: Email address is optional and can be hidden for privacy. If you sign in with Apple, your email cannot be changed through the App (managed by Apple)
• Privacy Policy: https://www.apple.com/privacy/

3. OpenAI (Puff — AI coaching in the App)

• Purpose: Powers Puff's AI coaching in the App, including personalized habit suggestions after onboarding; habit "system" ideas from a goal you type; weekly written summaries derived from statistics you send from the App; Excuse Killer chat support (your messages and the habits you are struggling with); and Photo Log image analysis to rank which of your habits a photo may represent
• Data sent (varies by feature): Onboarding answers and profile fields; goal text; aggregated stats strings (e.g., recent scores, completion rates, streak summaries); chat messages and habit titles/IDs for Excuse Killer; photos you upload for Photo Log plus titles/descriptions of your active habits so the model can match contextually
• AI credits: Many AI actions consume monthly credits tracked on your account; limits are higher for eligible paid subscribers than for free users. Credits reset monthly as described in the App
• Privacy Policy: https://openai.com/policies/privacy-policy
• Your choices: You decide when to open Excuse Killer, run the weekly summary, use Photo Log matching, or request goal-based habit ideas. You can build and log habits without using these AI features; onboarding suggestions can be ignored or edited

4. Brevo (Email Delivery Service)

• Purpose: Sends email verification codes for guest account conversion
• Data Processed: Your email address and verification codes
• Service Provider: Brevo (formerly Sendinblue)
• Privacy Policy: https://www.brevo.com/legal/privacypolicy/
• Data Usage: Email addresses are used solely for sending verification codes and are not used for marketing purposes

5. MongoDB Atlas (Database Hosting)

• Purpose: Cloud database service that stores your account and habit data
• Data Stored: All user account information, habits, entries, goals, achievements, and preferences
• Privacy Policy: https://www.mongodb.com/legal/privacy-policy
• Security: MongoDB Atlas provides enterprise-grade security and encryption

7. Google Tag Manager & Google Analytics (Website)

• Purpose: Measure traffic and campaign performance on galbit.app
• Data: Device, browser, pages viewed, and related usage data collected per Google's policies
• Google Tag Manager: Google Privacy Policy
• Google Analytics: Google Privacy Policy; you may use browser or OS controls to limit cookies where available

How to Exercise Your Rights

To exercise any of these rights, please contact us at support@galbit.app. We will respond to your request within a reasonable timeframe and in accordance with applicable data protection laws.

For account deletion, you can use the "Delete Account" feature in the App's Edit Profile section, or contact our support team.

Notifications

• Purpose: To send you local notifications for habit reminders, streak reminders, weekly summaries, achievement notifications, and motivational messages based on your preferences
• User control: You can enable or disable notifications at any time through App settings. You can also configure quiet hours, notification types (sound, vibration, badge), and per-habit notification preferences
• Permission screen: The App includes a dedicated screen requesting notification permissions with clear explanation

Photos and camera (App)

• Purpose: To let you attach images to habit entries and use Photo Log features (including AI-assisted habit matching when you choose it)
• User control: The operating system may prompt for photo library or camera access; you can change permissions in device settings

European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: You have the right to request access to your personal data
• Right to Rectification: You have the right to request correction of inaccurate or incomplete data
• Right to Erasure: You have the right to request deletion of your personal data ("right to be forgotten")
• Right to Restrict Processing: You have the right to request restriction of processing of your personal data
• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format
• Right to Object: You have the right to object to processing of your personal data
• Right to Withdraw Consent: You have the right to withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at support@galbit.app. We will respond within one month of receiving your request.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You have the right to know what personal information is collected, used, shared, or sold
• Right to Delete: You have the right to request deletion of your personal information
• Right to Opt-Out: You have the right to opt-out of the sale of personal information (we do not sell personal information)
• Right to Non-Discrimination: You have the right to non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us at support@galbit.app. We do not sell your personal information to third parties.

Other Jurisdictions

We strive to comply with applicable data protection laws in all jurisdictions where we operate. If you have questions about your privacy rights in your jurisdiction, please contact us at support@galbit.app.