← Back to Habstack

1. Who we are

Habstack is a stealth-savings mobile application operated as a sole proprietorship in Maharashtra, India. References to "Habstack", "we", "us" or "our" mean the proprietorship.

Our registered contact address is Maharashtra, India. Our principal email for privacy and legal queries is habstack.in@gmail.com.

This policy applies to the Habstack Android app (package com.habstack.app), our website at habstack.in, and any related services. It explains what personal data we collect, why, how we use it, and the rights you have under India's Digital Personal Data Protection Act, 2023 (DPDP Act).

2. What data we collect

Habstack is designed so most data stays on your device. Here is the complete inventory:

Data that only lives on your device (we never see it)

These are stored in your phone's encrypted AsyncStorage. Uninstalling the app deletes them.

Data that lives on our servers

We only create a server-side record once you do something that requires sync (joining a joint goal, paying for a plan, signing in for recovery, or earning referral credits). Even then, most records are keyed to an anonymous identifier and contain no personally identifiable information.

CategoryWhat it containsWhen it's created
Anonymous user ID A random UUID issued by our auth provider. Not linked to any identity until you sign in. First app open
Subscription record Tier (Plus/Family), expiry date, last payment reference First paid subscription
Referral code & credits Your shareable code (e.g. PP-XXXXXX), credits earned, device hash (anti-abuse) First app open
Email address The email you used at checkout or for recovery sign-in First Razorpay payment, OR you sign in with Google / email-OTP
Phone number The phone you entered at the Razorpay checkout sheet First Razorpay payment
Joint goal data Goal name, target, member IDs, contribution history (visible to all goal members only) You create or join a joint goal
Cloud backup of your vault An encrypted-at-rest snapshot of your local goal + day history Only if you've signed in with Google or email. Anonymous users are never backed up.
Webhook event log Internal record of Razorpay payment events (payment ID, amount, status). No card details. Every successful payment

What we do NOT collect

3. Why we collect each piece (legal basis under DPDP)

Data categoryPurposeLegal basis (DPDP)
Anonymous UID Run the app, sync joint goals, attribute subscription Performance of service
Email (Google / email-OTP) Account recovery on reinstall Consent (explicit, at sign-in)
Phone (Razorpay capture) Payment processing & refund eligibility Performance of contract
Vault cloud backup Restore your data after uninstall Consent (you opted in by signing in)
Referral code + device hash Prevent referral farming abuse Legitimate interest
Payment + webhook records Subscription management, refunds, tax records Performance of contract; legal obligation (tax)

4. How long we keep it

5. Who we share your data with

We use the following sub-processors. We share only the minimum data each needs to do their job:

Sub-processorWhat they doData sharedLocation
Supabase Inc.Database, auth, edge functionsAll server-side data aboveIndia
Razorpay Software Pvt LtdPayment processingEmail, phone, payment amountIndia
Google LLCOAuth sign-in (only if you choose Google)Email, basic profile (name, profile picture)United States
Cloudflare Inc.App update delivery (R2 storage)App binary download requests (anonymous)Global edge
Resend Inc.Sending email magic-link sign-in and account recovery emailsEmail address onlyUnited States

We do not share your data with advertisers, data brokers, or any third party for marketing purposes. We have never sold personal data and we never will.

We may share data with law enforcement or regulators if compelled by a valid Indian legal order, and only the minimum data required.

6. Your rights under the DPDP Act

India's Digital Personal Data Protection Act, 2023 gives you the following rights:

To exercise any right, email habstack.in@gmail.com with the subject "DPDP request". We will respond within 30 days as required by the Act.

You can also delete your account from inside the app: Settings → Delete my data. This wipes your local state and queues your server-side data for deletion within 30 days.

7. How we protect your data

No system is 100% breach-proof. If we ever become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India within 72 hours, as required by the DPDP Act.

8. Children

Habstack is intended for users 18 years and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us their data, contact our Grievance Officer and we will delete the data promptly.

9. International transfers

Most of your data stays in India (Supabase India, Razorpay India). Some data is processed abroad by Google (OAuth, United States) and Cloudflare (global edge). The DPDP Act permits these transfers by default. If India later restricts transfers to specific countries, we will update this policy and notify you.

10. Changes to this policy

We may update this policy when we add new features or sub-processors. Material changes will be announced via an in-app banner and emailed to users with a bound email. The "Last updated" date at the top of this page always reflects the most recent change.

11. Grievance Officer & contact

As required by the DPDP Act, we have designated a Grievance Officer:

If your concern is not resolved to your satisfaction, you may escalate to the Data Protection Board of India at dpdpa.gov.in once the Board is operational.