Privacy Policy

1. Introduction

Welcome to RawHabit.ai, the accountability-first habit tracker. This Privacy Policy explains how HootCodes LTD ("we", "us", or "our") collects, uses, discloses, and protects your personal information when you use RawHabit.ai (the "Service").

We are committed to protecting your privacy and ensuring transparency in how we handle your data. This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Information We Collect

2.1 Information You Provide

• Account Information: Email address, name, and profile picture (via Google OAuth)
• Habit Data: Habit names, yearly targets, frequency settings, time ranges, and completion status
• Photo Proofs: Images you upload to verify habit completion (stored securely in cloud storage)
• Excuse Data: Reasons you provide when missing a habit, and AI conversation history
• Social Features: Friend connections, challenges, shared habits, and comments
• Payment Information: Processed securely through Stripe; we do not store your full credit card details
• Preferences: Display name, country, language settings, and notification preferences

2.2 Information Automatically Collected

• Push Notification Data: Device tokens and subscription endpoints for delivering notifications
• Usage Data: Habit completion patterns, app interactions, and feature usage
• Device Information: Browser type, operating system, device identifiers
• Log Data: IP addresses, access times, pages viewed

2.3 AI-Processed Data

3. How We Use Your Information

We use your information for the following purposes:

• Service Delivery: To track your habits, send reminders, and provide accountability features
• Push Notifications: To send habit reminders, deadline warnings, and missed habit alerts
• AI Features: To validate excuses, verify photos, and provide personalized feedback
• Social Features: To enable friend connections, shared habits, challenges, and leaderboards
• Account Management: To create and manage your account via Google OAuth
• Payment Processing: To process subscriptions and commitment payments through Stripe
• Communication: To send service updates, trial reminders, and support messages
• Analytics: To understand usage patterns and improve our service
• Security: To detect, prevent, and address technical issues and abuse

4. Legal Basis for Processing (GDPR)

We process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service you requested (habit tracking, notifications, AI validation)
• Legitimate Interest: To improve our service, prevent fraud, ensure security, and operate leaderboards
• Consent: For optional features like push notifications, photo proofs, and social features (you can withdraw consent anytime)
• Legal Obligation: To comply with applicable laws, tax requirements, and regulations

5. Data Sharing and Disclosure

We may share your information with:

5.1 Service Providers

• Stripe: Payment processing (subject to Stripe's Privacy Policy)
• OpenAI: AI processing for excuse validation and photo verification (subject to OpenAI's Privacy Policy)
• Cloud Storage (MinIO/S3): Secure storage for photo proofs
• MongoDB Atlas: Database hosting and management
• Fly.io: Application hosting and infrastructure
• Postmark: Transactional email delivery

5.2 Social Features

When you use social features, certain information is shared with other users:

• Friends can see your habit completion status and streaks
• Leaderboard displays your display name (or "Anonymous" if you opt out) and country
• Challenge participants can see shared habit progress
• You control visibility through privacy settings

5.3 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, safety, or property.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

6. Your Rights Under GDPR

As a data subject in the EU, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a machine-readable format
• Right to Object: Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent for processing based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

• Account Data: Retained while your account is active and for 90 days after deletion request
• Habit Data: Retained while your account is active; deleted with account
• Photo Proofs: Retained for 1 year or until you delete them
• Excuse History: Retained for pattern analysis while account is active
• Payment Records: Retained for 7 years for tax and accounting compliance
• Push Subscriptions: Deleted when subscription expires or you disable notifications

8. Data Security

We implement appropriate technical and organizational measures to protect your personal data:

• Encryption in transit (TLS/SSL) and at rest
• Secure authentication via Google OAuth
• Password-free authentication (OAuth only) reduces credential theft risk
• Presigned URLs for secure photo access (time-limited)
• VAPID-authenticated push notifications
• Regular security updates and dependency auditing
• Access controls and authentication mechanisms

However, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data.

9. Push Notifications

RawHabit.ai uses web push notifications to deliver habit reminders and accountability alerts. When you enable push notifications:

• We store your browser's push subscription endpoint and authentication keys
• Notifications are sent using VAPID (Voluntary Application Server Identification)
• You can disable notifications at any time through your browser settings or the app
• We send notifications for: habit reminders, deadline warnings, missed habits, friend activity, and trial expiration

10. International Data Transfers

HootCodes LTD is based in Bulgaria (EU). Your data may be processed in:

• European Union: Primary data processing and storage
• United States: AI processing via OpenAI, payment processing via Stripe

For transfers outside the EU, we ensure adequate safeguards are in place through Standard Contractual Clauses or adequacy decisions in compliance with GDPR.

11. Cookies and Local Storage

RawHabit.ai uses minimal cookies and local storage:

• Session Cookies: Essential for authentication and maintaining your login state
• Local Storage: Storing your theme preference, language settings, and PWA state
• Service Worker: For PWA functionality and offline support

We do not use advertising or tracking cookies. For more details, see our Cookie Policy.

12. Children's Privacy

RawHabit.ai is not intended for children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

13. Third-Party Links

Our Service may contain links to third-party websites (e.g., Stripe payment portal). We are not responsible for the privacy practices of these external sites. Please review their privacy policies before providing any personal information.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: