Privacy Policy

CardHabit ("we", "us", "our") operates the CardHabit iOS application and cardhabitapp.com (together, the "Service"). CardHabit is an independent app built by a sole developer in Phoenix, Arizona, USA. This policy explains what data we collect, why, who processes it, and how you can control it.

If you have any questions, email hello@cardhabitapp.com.

What we collect and who processes it

We collect only the data needed to run the app and the website. Below is each data type, what it is, and the service provider that handles it on our behalf.

Account data

• What: Email address, display name, account ID. Friend connections you initiate or accept.
• Processed by: Supabase (authentication and database).

Habit and gameplay data

• What: Daily habit cards drawn, cards you commit to, completions, streaks, vault cards, archetype progression, Challenge and Buff cards sent or received between friends.
• Processed by: Supabase (database and realtime sync).

Subscription data

• What: Subscription tier (Pro or Elite), trial status, renewal state, purchase history. We do not store payment card details — all payments are processed by Apple.
• Processed by: RevenueCat (subscription management), Apple (payment processing).

Product analytics

• What: Anonymized device identifier, app events (screens viewed, cards drawn, features used), device type, OS version.
• Processed by: PostHog (product analytics, US region).

Crash and diagnostic data

• What: Crash reports, error logs, performance metrics, other diagnostic data. We have explicitly disabled screenshot capture and view-hierarchy capture in our crash reporter to avoid sending any personal content along with crash reports.
• Processed by: Sentry (crash and error reporting).

Push notifications

• What: Apple Push Notification service (APNs) device token.
• Processed by: Apple (APNs).

Waitlist

• What: Email address you provide on the waitlist form.
• Processed by: Supabase.

We do not collect precise location, contacts, photos, microphone audio, health data, or biometric data.

Required Reason API disclosures

Per Apple's privacy requirements, our app accesses the following APIs for the following reasons:

• File timestamp (C617.1): to display the time content was last updated to the user.
• System boot time (35F9.1): to measure time elapsed between events that occur within the app.
• Disk space (E174.1): to write user-generated content to disk.

Why we collect it

• Run the core app: deliver daily card draws, track streaks, manage your vault, sync between your devices, deliver Challenge and Buff cards between friends, assign and track your archetype.
• Manage your subscription: activate the right entitlement tier, handle trials, and process renewals.
• Send notifications: deliver morning draw reminders, incoming Challenges, Buffs, streak alerts, and archetype reveals.
• Improve the product: understand which features are used so we can fix what is confusing and double down on what works.
• Diagnose problems: find crashes and bugs and fix them.

We do not sell your personal information. We do not share your data with advertisers. We do not use your data to train AI models.

How long we keep it

• Account data, habit data, vault, archetype, social graph: kept for the lifetime of your account. When you delete your account from inside the app (Profile → Delete Account), everything is permanently deleted within 30 days.
• Subscription records: retained as required by Apple and tax law (typically up to 7 years from the last transaction).
• Crash reports and analytics events: retained up to 12 months, then purged.
• Waitlist email: retained until you unsubscribe or request deletion.

Your rights

You can, at any time:

• Access the data we hold about you.
• Export your account and habit data in a portable format.
• Delete your account and all associated data from inside the app at Profile → Delete Account, or by emailing us. Deletion is irreversible.
• Object to processing or restrict specific uses.
• Withdraw consent to optional processing (e.g., analytics — if you opt out, we still collect crash data necessary to keep the app running).

To exercise any of these rights, email hello@cardhabitapp.com. We respond within 30 days.

Your iOS subscription must be cancelled separately through the App Store (Settings → [your name] → Subscriptions). Deleting your CardHabit account does not cancel an active App Store subscription.

California (CCPA/CPRA)

California residents have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of sale or sharing. We do not sell or share personal information in the CCPA sense.

Europe / UK (GDPR/UK GDPR)

Our lawful bases for processing are: (1) performance of the contract to provide you the app, (2) our legitimate interest in improving and securing the app, and (3) your consent where required (e.g., analytics in jurisdictions that require opt-in). You have the right to lodge a complaint with your local data protection authority.

International data transfers

CardHabit is operated from the United States. Our service providers (Supabase, PostHog, RevenueCat, Sentry, Apple) may process data in the United States and other jurisdictions. Where required, we rely on Standard Contractual Clauses or equivalent safeguards published by each provider.

Children

CardHabit is rated 13+ on the App Store and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, email hello@cardhabitapp.com and we will delete it.

Security

We use Apple's Sign in with Apple and standard authentication tokens. Data in transit is encrypted via TLS. Data at rest is encrypted at our service providers. No system is perfectly secure; if we learn of a breach affecting your data, we will notify you in accordance with applicable law.

Third-party privacy policies

Each of our processors maintains its own privacy policy:

• Supabase — supabase.com/privacy
• PostHog — posthog.com/privacy
• RevenueCat — revenuecat.com/privacy
• Sentry — sentry.io/privacy
• Apple (APNs and App Store) — apple.com/legal/privacy

Changes to this policy

We may update this policy as the product evolves. We will update the "Last updated" date above and, for material changes, notify you inside the app or by email. Continued use after changes take effect constitutes acceptance.

Contact

CardHabit
Phoenix, Arizona, USA
hello@cardhabitapp.com