GDPR Policy
Introduction
This GDPR Policy supplements our Privacy Policy and provides additional information for users located in the European Economic Area (EEA), United Kingdom, and Switzerland about how HabitSpark processes personal data in compliance with the General Data Protection Regulation (GDPR).
Data Controller
HabitSpark is the data controller responsible for your personal data.
Contact: habitspark.coach@gmail.com
Legal Bases for Processing
We process your personal data based on the following legal grounds under GDPR:
Contract Performance (Article 6(1)(b))
Processing necessary to provide you with our Service, including:
- Account creation and management
- Habit tracking functionality
- Notifications and reminders you configure
- Customer support
Legitimate Interests (Article 6(1)(f))
Processing based on our legitimate interests, including:
- Improving and developing our Service
- Analytics and usage statistics
- Fraud prevention and security
- Marketing our services to existing users
We balance our interests against your rights and freedoms to ensure processing is fair.
Consent (Article 6(1)(a))
Processing based on your explicit consent, including:
- Marketing communications
- Optional analytics and personalization features
- Processing of sensitive personal data (if applicable)
You may withdraw consent at any time without affecting the lawfulness of prior processing.
Legal Obligations (Article 6(1)(c))
Processing necessary to comply with legal requirements, such as:
- Tax and accounting obligations
- Court orders and legal proceedings
- Regulatory requirements
Your Rights Under GDPR
As a data subject in the EEA, UK, or Switzerland, you have the following rights:
Right of Access (Article 15)
You have the right to:
- Confirm whether we process your personal data
- Obtain a copy of your personal data
- Receive information about how we process your data
Right to Rectification (Article 16)
You have the right to:
- Correct inaccurate personal data
- Complete incomplete personal data
Right to Erasure (Article 17)
You have the right to request deletion of your personal data when:
- The data is no longer necessary for its original purpose
- You withdraw consent and no other legal basis applies
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Deletion is required by law
How to Delete Your Account:
- Open HabitSpark app
- Go to Settings โ Account โ Delete Account
- Confirm with your password
- Account will be permanently deleted
What We Delete:
| Data Category | Action |
|---|---|
| Profile data (email, name, etc.) | Permanently deleted |
| All habits and history | Permanently deleted |
| Challenges & participations | Removed, challenges reassigned |
| Duels | Permanently deleted |
| Friendships | All connections removed |
| Points & rankings | Permanently deleted |
| Notifications | Permanently deleted |
| Device tokens | Permanently deleted |
What We Retain (Legal Basis):
- Referral audit logs: Anonymized records retained for fraud prevention (legitimate interest). These cannot be linked back to you.
- Financial records: If you made purchases, transaction records may be retained as required by tax laws (legal obligation).
Processing Time: Account deletion is processed immediately upon confirmation.
Note: Deleting your HabitSpark account does NOT automatically cancel any active subscription. Please cancel through Apple App Store or Google Play before deleting your account.
Right to Restriction (Article 18)
You have the right to restrict processing when:
- You contest the accuracy of the data
- Processing is unlawful but you oppose erasure
- We no longer need the data but you need it for legal claims
- You have objected to processing pending verification
Right to Data Portability (Article 20)
You have the right to:
- Receive your personal data in a structured, machine-readable format
- Transmit that data to another controller
- Have us transmit the data directly where technically feasible
How to Export Your Data:
- Open HabitSpark app
- Go to Settings โ Account โ Export My Data
- Tap Export to generate your data file
- Your data will be prepared in JSON format (machine-readable)
- Download or share the file
What’s Included in Your Export:
| Category | Data Included |
|---|---|
| Profile | Email, nickname, country, avatar, age, goals, timezone |
| Subscription | Premium status, trial dates, subscription platform |
| Habits | All habits with full check-in history and streaks |
| Challenges | All challenges you created or participated in |
| Duels | All 1v1 duel history and results |
| Friends | Friendship connections and status |
| Points | Full points transaction history |
| Seasons | League placements and rankings |
| Notifications | Notification preferences and in-app notifications |
The export file is in JSON format, which is:
- Structured and organized
- Machine-readable (can be imported into other services)
- Human-readable (can be opened in any text editor)
- Industry-standard for data portability
Processing Time: Export is generated instantly and available for immediate download.
Right to Object (Article 21)
You have the right to object to:
- Processing based on legitimate interests
- Processing for direct marketing purposes
- Processing for research and statistical purposes
Right Not to Be Subject to Automated Decision-Making (Article 22)
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, unless:
- It is necessary for a contract
- It is authorized by law
- You have given explicit consent
Right to Withdraw Consent
Where processing is based on consent, you may withdraw consent at any time by:
- Using in-app settings
- Contacting us at habitspark.coach@gmail.com
Right to Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority if you believe we have violated your data protection rights.
How to Exercise Your Rights
To exercise any of your rights, you may:
- In-App: Use the privacy settings in the app
- Email: Contact habitspark.coach@gmail.com with subject “GDPR Request”
- Written Request: Send a written request to our contact address
We aim to respond to your request as soon as possible, and in any case within 30 days as required by GDPR. We may request identification to verify your identity.
Data Transfers Outside the EEA
We may transfer personal data to countries outside the EEA. When we do, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): EU-approved data transfer agreements
- Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
- Your Consent: Where you have explicitly consented to the transfer
Data Retention
We retain personal data for as long as necessary to:
- Provide the Service
- Comply with legal obligations
- Resolve disputes
- Enforce agreements
Specific retention periods:
- Account Data: Deleted immediately upon account deletion request
- Usage Logs: Up to 12 months for security and analytics
- Financial Records: As required by tax and accounting laws (typically 7 years)
- Referral Audit Logs: Retained indefinitely for fraud prevention (anonymized)
Data Protection Measures
We implement appropriate technical and organizational measures including:
- Encryption of data in transit and at rest
- Access controls and authentication
- Regular security assessments
- Employee training on data protection
- Incident response procedures
Third-Party Processors
We use the following categories of processors:
- Cloud Infrastructure: Data hosting and storage
- Analytics: Usage analysis and improvement
- Communication: Email and notification services
- Payment Processing: Subscription billing (handled by app stores)
All processors are bound by data processing agreements ensuring GDPR compliance.
Cookies and Tracking
For information about cookies and tracking technologies, please refer to our Privacy Policy.
Children’s Data
We do not knowingly collect personal data from children under 16 in the EEA. If we become aware of such collection, we will delete the data promptly.
Updates to This Policy
We will notify you of significant changes to this policy by:
- Updating this page with a new “Last Updated” date
- Posting a notice on the website
We encourage you to review this policy periodically. Your continued use of the Service after changes constitutes acceptance of the updated policy.
Contact Our Data Protection Team
For GDPR-related inquiries:
- Email: habitspark.coach@gmail.com
- Subject Line: Include “GDPR Request” for faster processing
Last Updated: December 24, 2025