Privacy Policy

1. Data Controller

Iker Romero Caramés, domiciled in Galicia, and NIF/CIF 49667948T.

Contact email: [email protected]

2. Information Collected

We collect the following personal information:

  • First and last name
  • Email address
  • Email image
  • Service usage data (registered habits, frequency of use, etc.)

Additionally, we use tracking technologies for analytics:

  • By default, we use an anonymous tracking mode that temporarily stores data in browser memory, without using persistent cookies.
  • With explicit user consent, we may use cookies and local storage to provide a more personalized experience and collect more detailed usage data.

Users can manage their tracking preferences at any time through the "Cookies" option in their account dropdown menu. Choosing not to consent does not affect basic service functionality.

3. Purpose of Processing

We use the collected information to:

  • Provide and maintain the HabitsFlow service
  • Improve and personalize the user experience
  • Send service-related communications
  • Comply with legal obligations

4. Legal Basis for Processing

Data processing is based on:

  • The execution of the service contract
  • User consent for sending commercial communications
  • Legitimate interest for service improvement

5. Data Recipients

HabitsFlow does not share personal information with third parties, except when necessary for service provision or required by law.

6. Data Storage and International Transfers

HabitsFlow strives to keep your data within the European Economic Area (EEA) whenever possible. Our data storage and processing practices are as follows:

1. Primary Data Storage:

  • We use MongoDB Atlas for database storage and management.
  • Our cluster is hosted in Paris, France (AWS eu-west-3 region), meaning your data primarily remains within the EEA.
  • MongoDB Atlas uses Amazon Web Services (AWS) as its cloud infrastructure provider.

2. AWS Services:

  • While data is stored on servers located in the EEA, AWS, as a global provider, may access data for maintenance and support purposes from locations outside the EEA.
  • AWS operates under strong contractual commitments and adheres to EU-approved standard contractual clauses for any international data transfers.

3. Payment Processing:

  • For web users, we use Stripe, Inc. services, headquartered in the United States, to securely process payments. This may involve transferring certain personal data to servers located in the United States.
  • For users who access HabitsFlow through the Google Play Store, payments are processed by Google LLC through Google Play Billing. Google may process payment data on servers located in the United States, in accordance with its own privacy policy.

For all international data transfers, whether through AWS, Stripe, or Google, we ensure they are conducted under appropriate safeguards, including:

  • Standard contractual clauses approved by the European Commission.
  • Technical and organizational measures implemented by our providers to protect personal data.

We ensure that all our service providers comply with the data protection standards required by the EU's General Data Protection Regulation (GDPR).

You can learn more about our providers' privacy practices in their respective policies:

If you would like more information about your data storage or the guarantees implemented for international transfers, you can contact us using the information provided in this policy.

7. Data Retention

We will retain your HabitsFlow account data for the following reasons:

  1. Allow you to access or reactivate your account at any time if you decide to use our services.
  2. Analyze the use of our service to improve our offerings and user experience.
  3. Occasionally send you information about our service updates, special offers, or content we believe may be of interest based on your previous interaction with HabitsFlow.
  4. Maintain a historical record of user interactions with our service for long-term analysis and continuous improvement purposes.

This processing is based on our legitimate interest in maintaining a relationship with current and past users, improving our services, and conducting direct marketing activities.

We will retain your data as long as necessary for these purposes and as long as you do not object to such processing. You have the right to object to this processing at any time, as well as to request the deletion of your personal data. You can exercise these rights by contacting us at [email protected].

If you request the deletion of your data or object to its processing, we will proceed to delete or irreversibly anonymize it, unless there is a legal obligation to retain it or it is necessary for the establishment, exercise, or defense of legal claims.

To comply with our legal and tax obligations, some basic transaction data may be retained for longer periods, in accordance with applicable legal requirements.

8. User Rights

Users can exercise their rights of access, rectification, deletion, opposition, limitation of processing, and data portability by sending an email to [email protected].

9. Security Measures

At HabitsFlow, the security of your personal data is a priority. We implement and maintain technical, administrative, and physical security measures designed to protect your personal data against unauthorized access, destruction, loss, alteration, or disclosure. These measures include, but are not limited to:

  1. Encryption: we use industry-standard encryption protocols (such as TLS) to protect data transmission between your device and our servers.
  2. Robust authentication: we implement secure authentication methods, including strong passwords and, where applicable, two-factor authentication for user accounts and administrative access.
  3. Updates and patches: we keep our systems and software updated with the latest security patches to mitigate known vulnerabilities.
  4. Trusted providers: we work with reputable cloud service providers (such as AWS and MongoDB Atlas) that comply with strict security standards and industry certifications.
  5. Infrastructure security: MongoDB Atlas uses enterprise-level cloud providers (such as AWS) that implement physical and logical security measures in their data centers. Additionally, MongoDB Atlas implements its own security layers, including encryption of data at rest and in transit, role-based access controls, and continuous security monitoring.

Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

We continuously evaluate and improve our security measures to adapt to new threats and technologies. If you have any questions about the security of your personal data, please contact us at [email protected].

10. Privacy Policy Changes

We reserve the right to modify this privacy policy. Changes will be posted on this page and, in case of substantial modifications, users will be notified by email.

© 2026 HabitsFlow

Company

Resources