📋 Privacy Policy

1. Data Controller

CraftTechLabs
ul. Wojska Polskiego
46-380 Dobrodzień, Poland
Email: hello@habitwins.app

2. What Data We Collect

IMPORTANT: DEMO Mode (without registration)

• ZERO data on server: in DEMO mode we do NOT collect or store any data on CraftTechLabs servers
• localStorage: all DEMO data is stored EXCLUSIVELY locally in the User's browser
• No CraftTechLabs access: we have no access to DEMO data, it is exclusively on the User's device
• IP address: basic server logs may contain IP addresses from requests (standard web server practice)

Personal Data (only with registered account):

• User account: email, username, first name, last name
• Age verification: confirmation of legal age (18+) via checkbox
• Password: stored in hashed form

Application Data (only with registered account):

• Habits and sessions: practice time, habit types, statistics
• Contracts: User's own goals, private self-rewards, duration period
• Preferences: application settings

Note: "Rewards" in the application are User's private notes - the application does not offer or provide any rewards.

Technical Data:

• IP address: automatically collected (server logs)
• Device information: browser type, operating system
• Cookies: to maintain user session (only with account)

3. Purpose of Data Processing

• Service provision: operation of the habit-building application
• Age verification: confirmation of legal age (18+)
• Communication: sending email notifications
• Security: protection against abuse
• Application improvement: usage analysis and optimization

4. Legal Basis (GDPR)

• Service provision: performance of contract (Art. 6.1.b GDPR)
• Age verification: user consent (Art. 6.1.a GDPR)
• Marketing: legitimate interest (Art. 6.1.f GDPR)
• Consent: for optional features (Art. 6.1.a GDPR)

5. Data Sharing

We do not sell or share your personal data with third parties, except for:

• Service providers: hosting (VPS), email (Gmail Workspace)
• Legal obligation: upon request by state authorities
• Future integrations: payments (Stripe, PayPal) - with consent

6. Data Retention

• Active account: throughout the entire period of service use
• After account deletion: 30 days (backup and security)
• Accounts without consent: immediately deleted if checkboxes not selected (age 18+, terms of service, privacy policy)
• Email registration: checkboxes on registration form - not selected = account not created
• Google OAuth registration: checkboxes displayed AFTER authorization - not selected = account deletion
• Server logs: 12 months (security)

IMPORTANT: Data Integrity Disclaimers

• No guarantee: we do not guarantee data integrity, availability, or security 100% of the time
• Possible loss: data may be lost due to failures, application errors, cyberattacks, or other events
• Backups: we perform daily backups, but do not guarantee their effectiveness in every case
• User responsibility: regular data export (JSON) is the User's responsibility
• Liability: in accordance with the Terms of Service (section 10) and applicable law
• GDPR: the above disclaimers do not violate User rights under GDPR (see section 7)

Account Deletion Process (Soft Delete):

• Data anonymization: after account deletion, personal data is irreversibly anonymized (email, password, first name, last name)
• Login impossibility: anonymized account cannot be used for re-login
• Analytics preservation: anonymized data may be retained for analytical and statistical purposes (in accordance with Art. 89 GDPR)
• Data aggregation: detailed session data is aggregated into statistics (space savings without loss of analytical value)
• GDPR Art. 17: this process meets "right to be forgotten" requirements through irreversible anonymization

7. User Rights (GDPR)

The User has the right to:

• Access: check what data we process
• Rectification: correct inaccurate data
• Erasure: permanent deletion of account and data
• Restriction: temporary suspension of processing
• Data portability: export data in JSON format
• Object: to marketing processing
• Withdraw consent: at any time

Contact: hello@habitwins.app

8. Security

• HTTPS encryption: SSL/TLS for all communication
• Password hashing: bcrypt with salt
• Tokenization: JWT for secure sessions
• Monitoring: security logs and audit trail
• Backups: encrypted backup copies

9. Cookies and Tracking Technologies

We use cookies for:

• User sessions: maintaining login
• Preferences: saving settings
• Security: CSRF protection
• Timers: localStorage for active stopwatches

You can disable cookies in your browser, but this may limit functionality.

10. Age Verification

• Minimum age: 18 years (legal age)
• Verification: mandatory confirmation via checkbox "I am 18 years or older"
• Email registration: checkboxes displayed on form - selection required before account creation
• Google OAuth registration: checkboxes displayed AFTER Google authorization - not selected results in account deletion
• Required consents: age 18+, acceptance of terms of service, acceptance of privacy policy
• User responsibility: for truthfulness of age statement

11. International Transfers

User data is processed in:

• European Union: VPS servers in Poland
• Google Workspace: USA - Standard Contractual Clauses
• Future services: only providers with appropriate safeguards

12. Future Features

We plan to add:

• Payments: premium subscriptions (Stripe, PayPal)
• Advertising: personalized marketing content
• Analytics: Google Analytics or similar
• Push notifications: habit reminders

Before implementation, we will inform the User and request consent.

13. Policy Changes

• Notifications: email 30 days before changes
• Acceptance: continued use = acceptance of changes
• History: previous versions available upon request
• Current version: always at habitwins.app/privacy-policy

14. Contact and Complaints

Privacy questions:
Email: hello@habitwins.app
We respond within 72 hours.

GDPR complaints:
Personal Data Protection Office (Poland)
uodo.gov.pl

15. Governing Law

This policy is governed by Polish law and European law (GDPR). Court competent for the data controller's headquarters.