Privacy Policy

1. Information we collect

Account information.When you sign up — whether by email and password or via Google — we receive your email address and, for Google sign-in, your name and profile picture if Google sends them.

Habit data. The habits you create, their schedules, progress entries, target values, and your success/failure history.

Screenshots and generated images. When you upload your daily foundation streak screenshot or proof-of-completion images, we store them in your private bucket inside our database provider. Daily composite images you generate are stored alongside.

Notification preferences. Your reminder times, timezone, channel choices (push and/or email), and the push-subscription tokens issued by your browser if you opt in to push notifications.

Operational metadata. Standard server logs (IP address, user agent, timestamps of requests) maintained by our hosting and database providers for security and debugging.

We do not collect special-category data, financial information, or precise location data beyond what is implied by your IP address for security purposes.

2. How we use it

We use your data only to provide and operate the service you signed up for: authentication, syncing your habits across devices, generating shareable composites, sending reminders, computing your streaks, and running optional client-side OCR on proof images to check that the upload is plausibly related to your habit. We also use minimal anonymous telemetry to keep the app fast and reliable (see Section 4), detect abuse, debug issues, and respond when you contact us.

What we never do:

• We do not sell, rent, or trade your data to anyone, for any purpose.
• We do not share your data with advertisers and we don’t run ad pixels or cross-site tracking inside the app.
• We do not use your data to train machine-learning or AI models.
• We do not hand your full account, habit history, or stored images to any third party. Even our service providers (listed in Section 3) only receive the minimum piece of information needed for the specific feature they power.

The only situations in which we may share data beyond what’s strictly needed to operate the service are:

• When required by applicable law, a valid court order, or a binding regulatory request — and even then, only the specific data that is legally compelled, and we will notify you where we are allowed to.
• When sharing the minimum necessary information with a service provider that we rely on to deliver the service reliably (see Section 3). These providers are bound by their own privacy obligations and contractual restrictions.

3. Third-party services

We use the following service providers:

• Supabase— database, authentication, and file storage. (privacy policy)
• Google— only when you sign in with Google. Google returns your basic profile and email to us. (privacy policy)
• Resend— sends transactional reminder emails on our behalf if you have email reminders enabled. (privacy policy)
• Vercel— hosts the application and serves it to your browser. (privacy policy)
• Vercel Web Analytics & Speed Insights— receives anonymous page-view counts and Web Vitals performance metrics from your browser. No personal identifiers, no cookies, no cross-site tracking. (privacy policy)

Each provider handles your data under its own privacy policy. We pass only the minimum information required for the corresponding feature — for example, your email address to Resend so a reminder can be delivered, or your OAuth identifier to Google or Meta so you can sign in. We never transfer your full habit history, your stored screenshots, or your generated composite images to anyone other than Supabase (which hosts them securely on your behalf inside your private bucket).

4. Cookies and tracking

We use cookies only to keep you signed in and refresh your authentication session. We do not use third-party ad pixels, cross-site trackers, or marketing analytics.

We do collect two narrow categories of anonymous telemetry to keep the app fast and reliable:

• Vercel Web Analytics— counts of page views per route. Cookieless, no IP storage, no personal identifiers, no cross-site tracking.
• Vercel Speed Insights— Web Vitals performance metrics (LCP, INP, CLS) sampled in your browser and sent to Vercel. No personal identifiers.

If you enable browser push notifications, the browser issues a subscription token that we store so we can deliver reminders.

5. Data retention and deletion

Your data is kept for as long as your account is active. You can at any time:

• Export your data via Settings → Your data → Export my data.
• Delete your entire account and all associated data via Settings → Your data → Delete account.

Deletion is permanent and irreversible. Your screenshots, habits, daily logs, and entries are removed from our storage and database shortly after the request is confirmed.

→ View detailed data deletion procedures and personal-data privacy best practices.

6. Children

Sticky Habits is not directed to children under 13. If you are under 13, please do not use the service. If we learn we have collected data from someone under 13, we will delete it.

7. Security

We use industry-standard encryption in transit (HTTPS) and at rest, and we rely on row-level security in our database so that each user can only access their own data. No internet service can guarantee perfect security, but we treat your data with care.

8. International users

Sticky Habits is operated from Tanzania. By using the service, you consent to your data being processed in regions where our service providers operate (typically the EU and the US).

9. Changes to this policy

If we update this policy, we’ll change the “last updated” date and, for significant changes, notify users by email or an in-app banner. Continued use after a change indicates acceptance of the updated policy.

10. Contact

Questions, requests, or concerns? Reach us at stickyhabits.tz@gmail.com.