Habit Flow

Privacy Policy

Last updated May 14, 2026

This policy explains what data Habitflow collects, how it is used, and the available choices. It applies to Habitflow web and app experiences.

1. Data collected

Habitflow processes account data (such as email address, authentication identifiers, and sign-in method), profile metadata (plan flags, timestamps), and the tracking content created (item names, categories, completion history, labels, colors, streak values).

Technical data needed to operate the app is also processed, such as device/browser details, crash diagnostics, and request metadata. Cookies and local storage are used for authentication/session behavior and app functionality.

When sign-up/sign-in features powered by Clerk are used, Clerk may process authentication-related metadata such as IP address, device/browser information, and sign-in event logs to provide account access and security controls.

2. End-to-end encryption data handling

If E2EE is enabled, tracking payloads are encrypted client-side before being persisted. Habitflow stores encryption metadata required for the decryption flow (such as wrapped keys and encrypted payload blobs), but does not store the passphrase.

If the passphrase is lost, encrypted content cannot be recovered.

3. Why data is processed

Data is processed to provide and secure the service, sync account data, support account management, diagnose bugs, and improve product performance and reliability.

Where applicable, processing is based on contract necessity, legitimate interests, consent, and legal obligations.

4. Third-party processors

Habitflow relies on service providers to operate the app, including:

  • Clerk (authentication and identity management). See Clerk's Privacy Policy and subprocessor list.
  • Convex (real-time database and backend infrastructure)
  • Google Firebase (database and supporting infrastructure)
  • Google Analytics for Firebase and Vercel Analytics (usage analytics)
  • Paddle (billing and merchant-of-record services)

5. Retention and deletion

Personal data is retained as long as needed to provide the service and meet legal/security obligations. Account deletion can be requested from account settings to remove an authentication account. Deletion requests are coordinated across providers, including Clerk where applicable. Tracking items and categories can also be deleted directly in-app. If full data erasure assistance is needed, contact support.

6. International transfers

Data may be processed in jurisdictions where infrastructure providers operate. When required by law, appropriate transfer safeguards are applied.

7. Your rights

Depending on location, users may have rights to access, correction, deletion, portability, and objection/restriction for certain processing. To request these, contact support at [email protected].

8. Policy updates

This policy may be updated as the product evolves. Material updates may be announced in-app or by other appropriate notice.

9. Contact

Privacy requests and questions: [email protected]