Skip to Content

Important Notice 


This Privacy Policy describes how Habitual Growth, LLC (“Habitual Growth,” “we,” “our,” or “us”) collects, uses, shares, and protects personal data relating to users of our website (HabitualGrowth.com), our mobile application, and related online services (together, the “Services”). It should be read alongside our Terms of Service, our Region-Specific Addendum, our Creator Agency Agreement (if you are a Creator), and our Teams Subscription Terms (if you are a Teams customer or user). 

If you are a resident of the European Economic Area, United Kingdom, Switzerland, or one of our other launch countries, additional rights and disclosures apply to you under our Region-Specific Addendum. The Addendum and this Privacy Policy are intended to work together; where they differ for your jurisdiction, the Addendum controls to the extent of the difference. 

This Privacy Policy is written to be understandable. If anything is unclear, please contact us at info@habitualgrowth.com. 


Privacy at a Glance 


This summary highlights the most important points in plain language. It is not a substitute for the full Privacy Policy, which follows. 

What we collect 


Basic account information (name, email, date of birth for age verification), content you create in the Services (habits, goals, Challenges, Plans, ratings), device and usage information (IP address, device identifiers, app activity), and, with your permission, information from device features (camera, microphone, photos, location, contacts) when you use features that require them. 

What we do with it 


Operate the Services, personalize your experience, process your payments, keep your account secure, respond to you, prevent fraud and abuse, and improve the Services. 

What we don’t do 


  • We do not sell your personal data for money. 
  • We do not show advertisements inside the App. 
  • We do not use your habit data or other personal content for retargeting. 
  • We do not knowingly collect personal data from anyone under 16 except through a Subaccount set up by a parent or legal guardian. 
Who we share with 


A short, specific list of service providers that run our infrastructure (AWS, Auth0, Stripe, SendGrid, Firebase, Amplitude, Sentry, Branch.io, and GoHighLevel). Other users (only as permitted by your sharing settings). Authorities, when legally required. A buyer of our business, in the event of a merger or acquisition. 

Your rights 


Depending on where you live, you can request access to your personal data, correct it, delete it, obtain a copy of it, object to or restrict certain processing, withdraw consent, and lodge a complaint with your local data protection authority. To exercise any of these rights, email info@habitualgrowth.com with the subject line “PRIVACY.” 

How to contact us 


info@habitualgrowth.com. For jurisdiction-specific contacts (including India Grievance Officer, EU Representative, and others), see Section 19 of this Privacy Policy and the Region-Specific Addendum. 

 

Table of Contents

 

1. Introduction 

2. About Us and How to Contact Us 

3. Scope of This Policy 

4. Personal Data We Collect 

5. Subaccounts 

6. How We Use Personal Data (Purposes and Legal Bases) 

7. How We Share Personal Data 

8. Artificial Intelligence and Machine Learning 

9. Cookies and Similar Technologies 

10. Marketing Communications 

11. Data Retention 

12. Data Security 

13. International Data Transfers 

14. Your Privacy Rights 

15. Children 

16. Teams Subscriptions (B2B) 

17. Third-Party Services 

18. Changes to This Privacy Policy 

19. Contact Us and Region-Specific Information 

 

1. Introduction 

Habitual Growth, LLC is a personal growth and wellness platform. Our mission is to help people build habits, pursue goals, participate in structured Challenges and Plans, and connect with others on similar journeys. 

We take your privacy seriously. We collect the minimum personal data we need to provide and improve the Services, keep them safe, and communicate with you. We are transparent about what we collect, why we collect it, and who we share it with. 

This Privacy Policy applies to Habitual Growth’s Services. It does not apply to any third party’s website, product, or service, even if that third party is linked to from the Services. When you interact with third-party services, that third party’s privacy practices govern, and we encourage you to read their notices. 

 

2. About Us and How to Contact Us 


2.1 Who We Are 

The controller of personal data processed through the Services is: 

Habitual Growth, LLC 

12081 W Alameda Pkwy, PMB 139 

Denver, Colorado, United States 

Email: info@habitualgrowth.com 

2.2 Privacy Contact 


For any privacy-related question, request, or concern, email us at info@habitualgrowth.com. For routing efficiency, use the subject lines in Section 19. 

2.3 EU and UK Representatives 

We will identify our EU Representative under Article 27 of the EU GDPR, and (where applicable) our UK Representative under Article 27 of the UK GDPR, on this Privacy Policy before the Services become available in the EEA or UK. Residents of the EEA may contact our EU Representative directly for any GDPR-related matter. 

2.4 Data Protection Officer 

We will appoint a Data Protection Officer (“DPO”) if and when required by applicable law, including under GDPR Article 37 as our processing activities scale. Until then, our privacy team can be reached at info@habitualgrowth.com. 

2.5 Country-Specific Contacts 

Certain jurisdictions require a locally named contact (for example, a Grievance Officer in India, an Information Officer in South Africa, or a Data Protection Officer in Singapore, Nigeria, and the Philippines). See Section 19 and the Region-Specific Addendum for the applicable contact details and subject lines. 

 

3. Scope of This Policy 

3.1 What This Policy Covers 

This Privacy Policy applies to personal data we collect when you: 

  • visit HabitualGrowth.com or any Habitual Growth subdomain; 
  • download, install, or use the Habitual Growth mobile application on iOS or Android; 
  • create an Account or Subaccount; 
  • purchase a subscription, Challenge, Plan, or Teams license; 
  • interact with other users through Groups, leaderboards, Challenges, or Plans; 
  • contact our support team; or 
  • otherwise interact with our Services. 

3.2 What This Policy Does Not Cover 

This Privacy Policy does not apply to: 

  • websites, apps, or services operated by third parties, including those you reach through links in the Services (for example, Apple, Google, Stripe, YouTube); 
  • content shared with other users at your direction (which becomes subject to the audience you choose); or 
  • Creator Content distributed through third-party channels, which, if monetized under the Creator Agency Agreement, is governed by the terms of that distribution channel and any sublicense. 

3.3 How This Policy Works With Other Documents 

This Privacy Policy works together with our Terms of Service, our Region-Specific Addendum, our Creator Agency Agreement (for Creators), our Teams Subscription Terms (for Teams customers), and, where applicable, a Data Processing Addendum (for Teams customers who are data controllers of their users’ personal data). In the event of inconsistency between this Privacy Policy and another document as to privacy-related matters, this Privacy Policy controls, except that the Region-Specific Addendum controls to the extent required by the applicable law of your jurisdiction. 

 

4. Personal Data We Collect 

We collect personal data in four ways: directly from you, automatically through your use of the Services, from third parties acting on your behalf (such as authentication providers), and, with your permission, through device features such as camera or location. 

4.1 Information You Provide to Us 

Account Information 

When you create an Account, you provide: your first and last name, email address (and/or phone number), date of birth (used to confirm you meet the minimum age of 16 and to apply any jurisdiction-specific age rules), a password (stored in hashed form; we never see your plaintext password), and, if you choose to provide it, a profile photo. 

Profile Information 

You may choose to provide additional information about yourself, such as your preferred name, pronouns, time zone, a short biography, goals, and interests. These are optional. 

Payment Information 

When you purchase a subscription, Challenge, Plan, or Teams license, payment is processed by Stripe (or, for app-store-initiated purchases, by Apple or Google). Habitual Growth does not directly receive or store your full payment card number. We receive from Stripe a token identifying the transaction, the last four digits of the card, the card brand, the country of issuance, the billing postal code or country, and the transaction amount and status, which we use for receipts, tax reporting, fraud prevention, and refunds. 

Content You Create 

When you use the Services, you create content, including: habit definitions and logs, goals, personal notes, ratings of Challenges and Plans, Group names (if you create a Group), your profile picture, and Challenges and Plans you create (whether or not published). We collectively call this “User Content.” You retain ownership of your User Content as described in Section 6 of the Terms of Service. We process it to provide the Services as you direct. 

Communications With Us 

When you contact us (including for customer support, feedback, DMCA notices, moderation reports, or privacy requests), we collect the contents of your communication, your contact information, and related metadata (such as the date, subject line, and any attachments). 

Creator Information 

If you sign the Creator Agency Agreement to monetize Challenges or Plans, we also collect your legal name, billing or payout address, tax identification information (for example, a U.S. Taxpayer Identification Number on Form W-9, or a non-U.S. equivalent on Form W-8BEN or W-8BEN-E), and payout account details collected via Stripe Connect. 

4.2 Information We Collect Automatically 

Device and Technical Data 

When you use the Services, we automatically collect: 

  • device identifiers (for example, advertising identifiers such as IDFV, or device-unique IDs we generate internally); 
  • operating system and version; 
  • mobile device make and model; 
  • app version and installation source; 
  • browser type and version (for web access); 
  • language preferences; and 
  • network information, including IP address and general connection type (e.g., Wi-Fi or cellular). 

Usage Data 

We collect information about how you interact with the Services, including: 

  • features used and screens viewed; 
  • actions taken (for example, creating a habit, completing a Plan, joining a Group); 
  • timing, frequency, and duration of activity; 
  • referring URLs, when you reach the Services from another site; 
  • search terms used within the Services; 
  • error and crash information (processed through our error-monitoring provider); 
  • install attribution data (processed through our mobile-attribution provider); and 
  • inferences we make from your activity (for example, which Plans are likely to interest you, or whether a habit streak needs a reminder). 

Approximate Location 

We derive approximate location (typically city-level or coarser) from your IP address, for purposes including applying the correct jurisdiction-specific terms to you, localizing content, detecting fraud, and measuring general usage patterns. IP-derived location is not precise GPS location. 

4.3 Information From Third Parties 

Authentication Providers 

If you choose to sign in using Sign in with Apple, Sign in with Google, or Facebook Login, those providers share limited information with us as you authorize at the point of sign-in. The information typically includes an identifier that uniquely represents you on that provider’s service, and your email address (unless you choose Apple’s Hide My Email option, in which case Apple provides a relay address). 

Payment and Tax Providers 

Stripe (for direct payments) and, where applicable, Apple and Google (for in-app purchases made through their stores) share with us the limited transactional data described in Section 4.1 (Payment Information). Stripe Tax calculates the applicable tax for each transaction, and we receive the computed amount and jurisdiction. 

Integrations You Initiate 

As of the Effective Date, the Services do not include direct integrations with third-party health, fitness, or biometric tracking services (such as Apple Health, Google Fit, Whoop, Oura, Garmin, Fitbit, or Strava). If we introduce such integrations in the future, your use will be subject to additional notices, and data received from those integrations will be processed under this Privacy Policy and any additional terms presented at the time. 

4.4 Device Permissions and What They Access 

The App asks for your permission before accessing certain features of your device. You can grant or deny each permission, and you can change your choice at any time through your device’s settings. The table below lists each permission we request. 

 

Permission 

What We Use It For 

Camera 

To let you take a profile photo, progress photo, or a photo that you attach to a habit log, Challenge, or Plan. We do not continuously access or record from your camera; we access it only when you explicitly trigger a photo action. 

Microphone 

To let you record voice notes for habits or reflections. We access the microphone only when you explicitly trigger an audio recording action. 

Photo Library 

To let you upload an existing photo from your device to your profile, a habit log, a Challenge, or a Plan. We access only the photo you explicitly select. 

Precise Location (GPS) 

To let you associate a habit or Plan with a specific location (for example, a run at a park), or to support location-based features you turn on. We access precise location only when a location-based feature is actively in use. 

Approximate Location 

To show you locally relevant content (for example, Challenges in your region) and apply the correct regional terms. When you do not grant precise location, we may use approximate location as a fallback. 

Contacts 

To let you find friends on Habitual Growth. If you enable this feature, we upload a hashed version of the email addresses and phone numbers in your contacts to match against existing Habitual Growth accounts. We do not store the names of your contacts. Hashed contact data is retained only while you keep the feature enabled. 

Push Notifications 

To deliver reminders, streak alerts, Group and leaderboard updates, and Service updates. You can control categories of push notifications within the App and fully disable push notifications through your device settings. 

 

The Services do not request biometric (Face ID / Touch ID) permissions for app unlock, Bluetooth permissions, calendar permissions, or motion or fitness sensor permissions. If we add any such feature in the future, we will update this Privacy Policy and request permission through your operating system. 

4.5 Sensitive Personal Data 

The Services are designed for personal growth and wellness, which means that you may provide us with information that is considered sensitive under data-protection laws. This can include (depending on what you choose to share): information relating to your physical or mental well-being, religious or philosophical beliefs, spiritual or meditative practice, habit-related health behaviors, and, if you choose to participate, information that reveals your interests, values, or beliefs. 

We do not require you to provide sensitive personal data to use the Services. You choose what to enter into the Services. However, because some features (for example, prayer, meditation, religious or spiritual Challenges and Plans) inherently relate to sensitive categories, we take additional steps with respect to such information. 

Where required by applicable law (including the EU and UK GDPR, the Brazilian LGPD as it applies in future launches, and laws in several other launch countries), we obtain your explicit, informed, and affirmative consent before we process sensitive personal data. This consent is obtained through a specific toggle or checkbox in the App, distinct from your acceptance of our Terms of Service. You may withdraw that consent at any time through your Account settings; withdrawing consent does not affect the lawfulness of processing that occurred before withdrawal. 

We do not share sensitive personal data with advertising networks or data brokers, and we do not use it for ad targeting. We apply additional access controls to sensitive personal data within our systems. 

 

5. Subaccounts 

As described in Section 3 of the Terms of Service, the primary Account holder may create one or more Subaccounts under their primary Account, for example for a family member under the age of 16. Subaccounts have limited functionality and cannot make purchases, create Groups, provide payment information, or change subscription settings. 

When you create a Subaccount, you represent that you are the primary Account holder, that you have the legal authority to create the Subaccount (including, where the Subaccount user is a minor, that you are the minor’s parent or legal guardian), and that you agree to this Privacy Policy and the Terms of Service on behalf of the Subaccount user. For Subaccounts used by minors, your representation constitutes the parental consent required by applicable law (including the U.S. Children’s Online Privacy Protection Act, GDPR Article 8, and equivalent rules in other jurisdictions). 

We collect from Subaccount users the information necessary to provide the Services to them (name, date of birth, and optional profile information), and we apply particular care to Subaccount data: we do not use it for marketing, we do not profile Subaccount users for behavioral advertising, and we limit sharing to service providers as described in Section 7. 

As the primary Account holder, you may access information held about the Subaccount, correct it, and request its deletion at any time. To do so, email info@habitualgrowth.com with the subject line “SUBACCOUNT.” 

 

6. How We Use Personal Data 

We use personal data for the purposes below. For each purpose, we identify the categories of data involved and, for users subject to the GDPR or UK GDPR, the legal basis on which we rely. 

 

Purpose 

Categories of Data 

Legal Basis (GDPR / UK GDPR) 

Provide and operate the Services; create and manage your Account; deliver features you request 

Account info, profile info, content you create, device and technical data, usage data 

Performance of a contract (Article 6(1)(b)) 

Process payments, issue receipts, comply with tax obligations 

Payment info, limited transactional data, tax info (for Creators) 

Performance of a contract and legal obligation (Article 6(1)(b) and (c)) 

Secure the Services; prevent, detect, and investigate fraud, abuse, security incidents, and violations of our Terms; respond to legal process 

All categories as necessary 

Legitimate interests (Article 6(1)(f)) and legal obligation (Article 6(1)(c)) 

Personalize your experience; recommend Challenges, Plans, and content that may interest you 

Profile info, content you create, usage data, inferences 

Legitimate interests (Article 6(1)(f)); for sensitive data, explicit consent (Article 9(2)(a)) 

Operate the Creator program, including revenue share calculations and payouts 

Creator tax and payout info, transaction data, Creator Content metadata 

Performance of a contract and legal obligation (Article 6(1)(b) and (c)) 

Communicate with you about the Services (billing, security, legal notices, service updates) 

Account info, contact info 

Performance of a contract and legitimate interests (Article 6(1)(b) and (f)) 

Send marketing communications and promotions (only where you have opted in or where permitted by law) 

Contact info, usage data, inferences 

Consent (Article 6(1)(a)) or legitimate interests with opt-out (Article 6(1)(f)), depending on jurisdiction 

Operate content moderation, respond to reports and appeals, comply with the Digital Services Act and other applicable moderation laws 

Content you create, reports, moderation records, device and usage data 

Legitimate interests (Article 6(1)(f)) and legal obligation (Article 6(1)(c)) 

Train and improve our internal models (safety, personalization, recommendations); operate AI features within the Services as described in Section 8 

Content you create (excluding private content without consent), usage data, de-identified or pseudonymized data 

Legitimate interests (Article 6(1)(f)); explicit consent for any sensitive data (Article 9(2)(a)); see Section 8 for details 

Conduct corporate transactions (for example, a merger, acquisition, or financing) 

Aggregated business data; personal data as necessary to complete the transaction 

Legitimate interests (Article 6(1)(f)) 

Comply with legal obligations and exercise or defend legal claims 

As necessary 

Legal obligation (Article 6(1)(c)) and legitimate interests (Article 6(1)(f)) 

 

We do not make decisions about you that produce legal or similarly significant effects using solely automated processing without human involvement. Certain personalization features operate automatically (for example, recommending content), but these do not legally or materially affect you. 

 

7. How We Share Personal Data 

We share personal data only as described in this Section. We do not sell your personal data for money. 

7.1 Service Providers and Subprocessors 

We engage third-party service providers (also known as “subprocessors” or “processors”) to help us run the Services. Each service provider receives only the personal data needed to perform its function, is bound by contract to keep personal data confidential and secure, and is prohibited from using personal data for its own purposes. Our current principal service providers are: 

 

Service Provider 

Purpose 

Categories of Data 

Primary Processing Location 

Amazon Web Services (AWS) 

Cloud hosting and infrastructure; managed Postgres database; file storage 

All categories, as stored by the Services 

United States (with international transfer safeguards for EU/UK data) 

Auth0 (Okta, Inc.) 

User authentication and session management 

Email, authentication events, hashed credentials 

United States and European Union 

Stripe, Inc. 

Payment processing; Stripe Tax for VAT/GST/sales tax; Stripe Connect for Creator payouts 

Payment info, billing country, limited transactional data, Creator payout and tax info 

United States (global PCI-DSS compliant infrastructure) 

Twilio SendGrid 

Transactional email delivery (billing, security, service notices) 

Email address, email content, delivery metadata 

United States 

Firebase Cloud Messaging (Google LLC) 

Push notification delivery to iOS and Android devices 

Device tokens, notification content and metadata 

United States and global Google infrastructure 

Amplitude, Inc. 

Product analytics; usage events; feature performance measurement 

Pseudonymized user ID, event data, device data, approximate location 

United States 

Sentry (Functional Software, Inc.) 

Error and crash reporting; service reliability monitoring 

Pseudonymized user ID, error and crash data, device and OS data 

United States (with EU data residency available) 

Branch.io, Inc. 

Mobile install attribution and deep linking 

Install events, device fingerprint, campaign identifiers 

United States 

GoHighLevel (HighLevel, Inc.) (“GHL”) 

Marketing email delivery, CRM, marketing automation, landing-page hosting 

Email address, name, marketing preferences, marketing engagement metadata 

United States 

 

We may engage additional service providers or change these providers in the ordinary course of business. When we add or materially change service providers, we will update this list in this Privacy Policy. If you are a Teams customer and have a Data Processing Addendum with us, we will also provide notice of material subprocessor changes through the mechanism set forth in the Data Processing Addendum. 

7.2 Other Users of the Services 

The Services include limited social features. When you choose to share content or participate in social features, certain information becomes visible to other users. Specifically: 

  • Your profile picture is visible to other users with whom you share a Group or other social surface. Your full profile and other profile details are not made visible to other users. 
  • When you join a Group, your participation metrics (such as activity counts and streak information) and your profile picture are visible to other members of that Group through the shared leaderboard and dashboard. No personal information beyond your profile picture and these high-level metrics is shared with other Group members. 
  • Ratings you give to Challenges and Plans are anonymous; other users cannot see which rating you gave. We use ratings only to calculate aggregate scores on the back end. 
  • Public Challenges and Plans that you create and that have been published through the Creator program are visible to all users of the Services. 

Please think carefully before sharing sensitive personal data with other users. Once shared, we cannot guarantee that the recipients will not further share your information outside the Services. 

7.3 Teams Administrators 

If you are a user of a Teams Subscription, your Teams Administrator has limited visibility into your use of the Services as described in Section 16 of this Privacy Policy and in our Teams Subscription Terms. Teams Administrators receive aggregated reports when five (5) or more users are enrolled in their Team, and do not receive your individual habit logs, reflections, or other personal content. 

7.4 Legal and Safety Disclosures 

We may disclose personal data to law enforcement, regulators, courts, and other third parties where we believe, in good faith, that such disclosure is necessary to: 

  • comply with a law, legal process, subpoena, court order, or other legal obligation; 
  • enforce our Terms of Service, this Privacy Policy, the Creator Agency Agreement, the Teams Subscription Terms, or another applicable agreement; 
  • respond to an emergency involving potential risk to life or serious harm; 
  • detect, prevent, or investigate fraud, abuse, or security incidents; or 
  • protect the rights, property, or safety of Habitual Growth, its users, or others. 

Where legally permitted, we will notify users of legal demands for their personal data, and we may challenge demands we believe are overbroad or unlawful. We publish periodic transparency information about the legal demands we receive. 

7.5 Business Transfers 

If Habitual Growth undergoes a merger, acquisition, sale of assets, reorganization, bankruptcy, or similar transaction, personal data may be transferred to the successor entity as part of the transaction. We will notify you (by email, in-app notification, or a prominent notice on the Site) before your personal data becomes subject to a materially different privacy policy. 

7.6 With Your Consent 

We may share personal data with third parties in any other case with your consent or at your direction (for example, if you choose to publish Creator Content on a third-party platform). 

 

8. Artificial Intelligence and Machine Learning 

8.1 Our AI/ML Approach 

We use artificial intelligence and machine-learning techniques (together, “AI/ML”) in the Services for specific, limited purposes: detecting abuse and safety violations, recommending Challenges and Plans likely to interest you, personalizing your experience, supporting customer care, and improving the reliability and quality of the Services. Some of these features operate on models we build and run internally; others use models provided by select third-party AI/ML vendors under contract. 

8.2 What We Do and Do Not Do 

We do: 

  • use non-sensitive personal data (such as usage patterns and non-private content you have chosen to share) to train, evaluate, and improve our internal models; 
  • share limited personal data with vetted third-party AI/ML vendors solely as processors acting on our behalf, under data-processing contracts that restrict their use of the data to providing the service to us, require confidentiality and appropriate security, and prohibit use of your personal data to train general-purpose models outside our contract scope; 
  • use pseudonymized or de-identified data wherever feasible; and 
  • retain the ability for a human to review and override automated decisions that materially affect you. 

We do not: 

  • sell your personal data to AI/ML vendors or to anyone else; 
  • allow third-party AI/ML vendors to use your personal data to train their own general-purpose or commercial models outside the scope of services they provide to us; 
  • use the content of private notes, reflections, or other private content you mark as private to train AI/ML models without a separate legal basis, such as your specific consent; or 
  • make decisions about you based solely on automated processing that produce legal or similarly significant effects, without human involvement and without a lawful basis under applicable law. 

8.3 Sensitive Data in AI/ML 

Where AI/ML processing would involve sensitive personal data (as described in Section 4.5), we rely on your explicit consent given through the distinct consent mechanism in the App, or another lawful basis permitted under GDPR Article 9 and equivalent laws. You may withdraw consent at any time, which will stop further use of your sensitive personal data in AI/ML processing going forward. 

8.4 Your Controls 

You may opt out of the use of your personal data to train or improve our internal models by emailing info@habitualgrowth.com with the subject line “AI OPT-OUT.” Opting out does not prevent us from using AI/ML within the Services to provide features you request, to detect abuse, or to meet legal obligations, and does not prevent us from using fully de-identified or aggregated data. 

 

9. Cookies and Similar Technologies 

9.1 What Cookies We Use 

A “cookie” is a small file stored on your device when you visit a website. The Services use cookies and similar technologies (such as pixels, local storage, and software development kits on mobile devices) for the following purposes: 

Strictly necessary 

Essential to operate the Site and App, including authentication, session management, security, load balancing, and remembering your consent preferences. These cannot be turned off without breaking core functionality. 

Functional 

Remember choices you make (for example, your language or time zone) and provide enhanced features. 

Analytics (in-app and mobile only) 

We use Amplitude to measure feature usage, performance, and stability. We do not use Google Analytics or any other third-party web analytics on our marketing website. 

Marketing attribution 

We use Branch.io to measure the effectiveness of marketing campaigns that result in installs of the App. On our marketing website, we may use conversion pixels from Meta (Facebook) and Google Ads, solely to measure whether visitors who click our ads subsequently sign up. We do not use these pixels for retargeting or interest-based advertising, and we do not show third-party ads inside the App. Marketing attribution and conversion pixels can be disabled through your cookie preferences. 

9.2 Managing Cookies 

You can control non-essential cookies through the cookie preference manager on our Site (where required by applicable law), through your browser’s cookie settings, or through your device’s operating system. In many EEA and UK jurisdictions, we will not place non-essential cookies until you have provided consent through the cookie banner. For mobile devices, you can reset the advertising identifier and limit ad tracking in your device settings. 

9.3 Do Not Track and Global Privacy Control 

Because there is no uniform industry standard for how to respond to “Do Not Track” browser signals, the Services do not respond to Do Not Track. We do honor the Global Privacy Control (GPC) signal where required by applicable law (including the California CCPA and the Colorado CPA), by treating it as a valid opt-out of the “sale” or “sharing” of personal data for cross-context behavioral advertising. 

 

10. Marketing Communications 

10.1 Types of Communications 

We send two kinds of messages: 

  • transactional (for example, billing receipts, security alerts, password reset links, service-change notices, and moderation decisions). These are necessary to provide the Services, and you cannot opt out of them without closing your Account; and 
  • marketing (for example, feature announcements, newsletters, and promotional offers). These are sent only where you have opted in or where otherwise permitted by applicable law. 

10.2 Opting Out 

You can opt out of marketing communications at any time by using the “unsubscribe” link in any marketing email, by adjusting your notification preferences in your Account, or by contacting info@habitualgrowth.com with the subject line “UNSUBSCRIBE.” You will continue to receive transactional communications necessary to the Services. 

10.3 Push Notifications and In-App Messages 

Push notifications and in-app messages can be managed through your device settings and within the App. You can disable push notifications entirely, or choose which categories (for example, streak reminders, messages, Group activity) you want to receive. 

 

11. Data Retention 

11.1 Our Retention Principles 

We retain personal data only for as long as we need it to deliver the Services to you, to comply with legal obligations, to enforce our agreements, and to resolve disputes. When we no longer need personal data, we delete it or de-identify it so it can no longer be linked to you. 

11.2 Specific Retention Periods 

Our standard retention periods are set forth below. In each case, we may retain information longer where required by law, by legal process, or to enforce our rights. 

 

Category 

Retention 

Account information and profile data 

For as long as your Account remains active. When you request account deletion, for up to 90 days thereafter (for recovery and to handle legal, fraud, or safety matters), and then permanent deletion. 

Content you create (habits, goals, Challenges, Plans, reflections) 

For as long as your Account remains active, and up to 90 days after account deletion, except that items you have shared publicly or with other users may persist with those users as governed by Section 7.2. 

Profile pictures, Group names, and ratings 

For as long as your Account remains active, and up to 90 days after account deletion. Ratings are retained in aggregated, de-identified form and are not linked to you after submission. 

Payment records, invoices, and tax documents 

At least 7 years after the transaction, to meet U.S. federal and state tax-record retention obligations. Longer where required by applicable local law. 

Creator tax and payout records (W-9, W-8BEN, Form 1099, payout history) 

At least 7 years after the end of the applicable tax year, to meet IRS and foreign equivalent retention obligations. 

Server logs, including IP addresses and request logs 

Minimum 90 days; longer for security investigations or legal holds. 

Error, crash, and diagnostic data (via Sentry) 

90 days standard retention, longer for open incidents. 

Product analytics data (via Amplitude) 

24 months, pseudonymized; aggregated or anonymized beyond 24 months where retained. 

Marketing engagement data (via GHL) 

For as long as you remain subscribed to marketing communications, plus 24 months after unsubscribe for suppression-list purposes. 

Content moderation records (reports, actions taken, appeal records) 

12 months after the relevant action, or longer if required by the EU Digital Services Act or other applicable law, or if the record is subject to an ongoing matter. 

Backups 

Rolling 90-day backups. Data deleted from the primary systems is purged from backups when the 90-day window elapses. 

Hashed contact data (from the Find Friends feature) 

Only while you keep the feature enabled; removed promptly after you disable the feature. 

 

If your Account has been inactive for an extended period (generally, at least 24 months with no sign-in and no subscription), we may contact you and, absent a response, close the Account in accordance with this retention schedule. 

 

12. Data Security 

12.1 Our Safeguards 

We implement administrative, technical, and physical safeguards designed to protect personal data from unauthorized access, disclosure, alteration, and destruction. Our safeguards include: 

  • encryption in transit (TLS 1.2 or higher) for data moving between your device and our servers; 
  • encryption at rest for database storage; 
  • role-based access controls with the principle of least privilege for employee and contractor access; 
  • multi-factor authentication for administrative access to production systems; 
  • network segmentation and firewalling within our AWS environment; 
  • logging, monitoring, and alerting for anomalous activity; 
  • regular vulnerability scanning and penetration testing; 
  • vendor security assessment for service providers that process personal data; and 
  • background checks for personnel with access to sensitive systems. 

12.2 Your Role 

Security is a shared responsibility. You are responsible for choosing a strong password, keeping your login credentials confidential, and using caution about what personal data you share through the Services. If you have reason to believe your Account has been compromised, please contact us immediately at info@habitualgrowth.com with the subject line “SECURITY.” 

12.3 Breach Notification 

Despite our safeguards, no service can guarantee absolute security. If we experience a personal data breach that is likely to create a material risk to you, we will notify you consistent with applicable law. For users subject to the GDPR or UK GDPR, we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of the breach where required. For users in other jurisdictions, we will notify you and regulators consistent with the notification timelines required by your jurisdiction’s law. 

 

13. International Data Transfers 

13.1 Where We Process Data 

Habitual Growth is based in the United States, and our principal data-processing infrastructure (AWS, hosted in U.S. regions) is located in the United States. Our service providers also process personal data in the United States and, in some cases, in other countries. If you use the Services from outside the United States, your personal data will be transferred to the United States and processed there and in other countries where our service providers operate. 

13.2 Transfer Safeguards 

We rely on the following safeguards to protect personal data transferred across borders: 

  • For transfers of personal data from the European Economic Area, the United Kingdom, and Switzerland to the United States and other countries not recognized as providing an adequate level of data protection, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum to the EU SCCs, and the Swiss Addendum, as applicable. 
  • We conduct transfer impact assessments where required and implement additional technical and organizational measures (including the security safeguards described in Section 12) to protect personal data in transit and at rest. 
  • For transfers from other jurisdictions that regulate cross-border transfers, including Canada, Brazil, Australia, Singapore, South Africa, India, Nigeria, Kenya, and others, we rely on the mechanisms identified in our Region-Specific Addendum (consent, contractual safeguards, or adequacy findings as applicable under local law). 

13.3 EU-U.S. Data Privacy Framework 

Habitual Growth has not (as of the Effective Date) self-certified under the EU-U.S. Data Privacy Framework, the UK Extension to the DPF, or the Swiss-U.S. Data Privacy Framework. We may elect to self-certify in the future and will update this Privacy Policy if we do so. Our current transfer basis is SCCs and equivalent mechanisms as described above. 

13.4 Copies of Safeguards 

You can request a copy of the applicable transfer safeguards (with commercially confidential information redacted) by emailing info@habitualgrowth.com with the subject line “TRANSFER SAFEGUARDS.” 

 

14. Your Privacy Rights 

14.1 Rights Available to You 

Depending on your jurisdiction, you have some or all of the following rights with respect to your personal data: 

  • the right to access your personal data and to receive a copy of it; 
  • the right to correct inaccurate or incomplete personal data; 
  • the right to request deletion of your personal data, subject to legal retention obligations; 
  • the right to data portability (to receive your personal data in a structured, commonly used, machine-readable format); 
  • the right to object to or restrict certain processing, including processing for direct marketing or based on our legitimate interests; 
  • the right to withdraw consent where processing is based on your consent, without affecting the lawfulness of processing before withdrawal; 
  • the right to opt out of the “sale” or “sharing” of your personal data (as those terms are defined in U.S. state privacy laws), and to limit the use of sensitive personal information; 
  • the right to appeal a decision on your request (where applicable); 
  • the right not to be subject to automated decision-making that produces legal or similarly significant effects on you, except in limited circumstances permitted by law; and 
  • the right to lodge a complaint with your local data-protection authority. 

The specific rights available to you, and the conditions under which you can exercise them, depend on your jurisdiction. Full details are set forth in the Region-Specific Addendum. 

14.2 How to Exercise Your Rights 

To exercise any of these rights, email us at info@habitualgrowth.com using the subject line conventions in Section 19 and the Region-Specific Addendum. We will respond within the timeframe required by applicable law (generally thirty (30) days under the GDPR; forty-five (45) days under U.S. state laws, extendable once; and the specific timeframes identified in other parts of the Region-Specific Addendum, including twenty-four (24) hours for acknowledgment of India grievances). 

14.3 Verification 

We may need to verify your identity before processing your request. Verification methods are proportionate to the sensitivity of the request. For simple requests (such as accessing data from your own Account), logging into your Account is generally sufficient. For more sensitive requests (such as deletion), we may ask for additional verification. 

14.4 Authorized Agents 

In California and certain other jurisdictions, you may designate an authorized agent to exercise your rights on your behalf. We will require proof of the agent’s authorization and may verify your identity directly. 

14.5 No Discrimination 

We will not discriminate against you for exercising any of your privacy rights. We will not deny you the Services, charge you different prices, or provide you a lower quality of service because you exercised a privacy right, except as specifically permitted by law (for example, if providing a service to you is technically not possible without processing certain personal data). 

 

15. Children 

15.1 Minimum Age 

The Services are not intended for individuals under the age of 16. We do not knowingly collect personal data from any person under 16 to create a primary Account. If we learn that we have collected personal data from a person under 16 other than through a properly authorized Subaccount, we will delete that information promptly. 

15.2 Subaccounts 

The primary Account holder may create a Subaccount for a person under 16, subject to Section 5 of this Privacy Policy and Section 3.5 of the Terms of Service. For Subaccounts used by minors, the primary Account holder’s representation of parental or guardian authority constitutes the parental consent required under applicable law. 

15.3 Additional Protections for Minors 

We apply additional protections to personal data of Subaccount users who are minors, including: 

  • we do not use their personal data to send marketing communications; 
  • we do not “sell” or “share” their personal data (as those terms are defined in U.S. state privacy laws) for cross-context behavioral advertising; 
  • we do not profile them for behavioral advertising; 
  • we apply default settings designed to minimize the visibility of their profile information to other users; and 
  • we provide the primary Account holder with tools to access, review, correct, and delete the minor’s personal data through Account settings or by emailing info@habitualgrowth.com. 

15.4 California Minors’ Eraser Rights 

California residents under 18 may request removal of content they have posted, as set forth in Part B.4 of the Region-Specific Addendum. 

 

16. Teams Subscriptions (B2B) 

16.1 Teams Data Roles 

If your employer, organization, or institution (the “Customer”) provides you with access to the Services through a Teams Subscription, the following applies: 

  • With respect to data about your use of the Services shared with your Teams Administrator (for example, aggregated activity reports described in Section 16.2), Customer is the controller and Habitual Growth is the processor. The terms of our Data Processing Addendum apply. 
  • With respect to personal data we process about you as an individual user of the Services (for example, your personal habit data, your goals and reflections, and your use of features you access as an individual), Habitual Growth is the controller and processes that data consistent with this Privacy Policy. 

16.2 What Teams Administrators See 

When five (5) or more users are enrolled in a Team, the Teams Administrator receives aggregated reports about engagement with the Services at the Team level. Teams Administrators do not receive: 

  • the specific content of your habits, goals, or personal notes (other than as aggregated in Team-scale reports); 
  • your individual habit logs or reflections (except as aggregated in reports at Team scale); or 
  • any sensitive personal data you have provided. 

Teams Administrators do receive, for Team-level reporting, your name, your work email, your membership in the Team, and aggregated participation and engagement metrics. We do not produce individualized usage reports for Teams Administrators. 

16.3 Leaving a Team 

If you leave a Team (for example, because you leave the Customer’s organization or the Customer ends its Teams Subscription), your individual Account continues to exist unless you choose to delete it. Personal content and User Content you created independently of your Team remain with you. Data that was part of the Team’s aggregated reporting continues to be held by the Customer in accordance with the Customer’s own retention policies. 

 

17. Third-Party Services 

The Services may link to or integrate with third-party services, including Apple Sign-In, Google Sign-In, Facebook Login, Stripe (for payments), Apple Pay and Google Pay (for mobile payments), and others. When you interact with these third-party services, that third party’s privacy policy applies to the interaction. We are not responsible for the privacy practices of third parties. 

If we introduce additional third-party integrations in the future (including any health, fitness, or biometric integrations described in Section 4.3 that are not currently offered), we will update this Privacy Policy and, where required, obtain your consent before integrating. 

 

18. Changes to This Privacy Policy 

We may update this Privacy Policy from time to time. When we do, we will post the updated Privacy Policy on HabitualGrowth.com/privacy-policy and in the App, and we will update the “Last Updated” date at the top. For material changes that adversely affect your rights, we will provide notice consistent with Section 22 of the Terms of Service (generally, at least 30 days’ advance notice by email, in-app notification, or prominent notice on the Site). 

Your continued use of the Services after the effective date of the updated Privacy Policy constitutes your acceptance of the updated terms. If you do not agree, you should stop using the Services and close your Account before the effective date. 

We maintain an archive of prior versions of this Privacy Policy. You may request a prior version by emailing info@habitualgrowth.com with the subject line “PRIOR PRIVACY POLICY.” 

 

19. Contact Us and Region-Specific Information 

19.1 General Contact 

For any privacy-related question, request, or complaint, contact us at: 

Habitual Growth, LLC 

12081 W Alameda Pkwy, PMB 139 

Denver, Colorado, United States 

Email: info@habitualgrowth.com 

19.2 Subject-Line Conventions 

To help us route your request efficiently, please use the following subject lines: 

  • General privacy question: “PRIVACY” 
  • Data subject access request (GDPR/UK GDPR): “PRIVACY” followed by your country code 
  • Deletion request: “DELETE” 
  • Correction request: “CORRECTION” 
  • Data portability request: “PORTABILITY” 
  • Marketing opt-out: “UNSUBSCRIBE” 
  • AI/ML opt-out: “AI OPT-OUT” 
  • Subaccount request: “SUBACCOUNT” 
  • California CCPA/CPRA request: “PRIVACY–CA” 
  • California “Shine the Light”: “SHINE THE LIGHT” 
  • California minor content removal: “MINOR REMOVAL” 
  • Nevada do-not-sell: “NEVADA DO NOT SELL” 
  • EU DSA notice: “DSA NOTICE” 
  • India grievance: “GRIEVANCE OFFICER–INDIA” 
  • Pakistan privacy request: “PRIVACY–PAKISTAN”; Pakistan grievance: “GRIEVANCE–PAKISTAN” 
  • South Africa POPIA: “INFORMATION OFFICER” 
  • Security incident report: “SECURITY” 
  • Transfer safeguards request: “TRANSFER SAFEGUARDS” 
  • Law enforcement request: “LAW ENFORCEMENT” 

19.3 Region-Specific Rights and Contacts 

For the specific rights available to you, the timelines we apply, and the supervisory authorities you can contact, please see our Region-Specific Addendum at HabitualGrowth.com/legal/addendum. The Addendum covers the European Economic Area, the United Kingdom, Switzerland, California, other U.S. states with comprehensive privacy laws, Canada (including Quebec), Australia, New Zealand, Singapore, South Africa, the Philippines, India, the United Arab Emirates, Malaysia, Hong Kong, Israel, Kenya, Nigeria, Jamaica, and Pakistan. 

19.4 Supervisory Authorities 

If you believe we have violated your privacy rights, you have the right to contact your local supervisory authority. Details, including authority names, websites, and subject-line conventions for complaints, are in the Region-Specific Addendum. For EEA residents, a list of supervisory authorities is available at edpb.europa.eu. For UK residents, the Information Commissioner’s Office (ico.org.uk). 

19.5 Accessibility 

If you have a disability and have difficulty accessing this Privacy Policy, please contact us at info@habitualgrowth.com, and we will provide the Privacy Policy in an accessible format. 

 

 

Thank you for trusting us with your personal data.