Privacy Policy
The short version: Habstack works anonymously by default. Your savings goal, amounts, and PIN stay on your device. You can optionally bind a Google account or email so you can recover your data if you uninstall — that's the only personal data we store on our servers, and you choose when (or whether) to give it. We never sell or share your data with advertisers.
1. Who we are
Habstack is a stealth-savings mobile application operated as a sole proprietorship in Maharashtra, India. References to "Habstack", "we", "us" or "our" mean the proprietorship.
Our registered contact address is Maharashtra, India. Our principal email for privacy and legal queries is habstack.in@gmail.com.
This policy applies to the Habstack Android app (package com.habstack.app), our
website at habstack.in, and any related services. It explains
what personal data we collect, why, how we use it, and the rights you have under India's
Digital Personal Data Protection Act, 2023 (DPDP Act).
2. What data we collect
Habstack is designed so most data stays on your device. Here is the complete inventory:
Data that only lives on your device (we never see it)
- Your savings goal name, amount, target days, and frequency
- Your day-by-day contribution amounts
- Your local PIN code that unlocks the vault
- Your theme and language preferences
- Your phone number (legacy install identifier; used only to flag your local session)
These are stored in your phone's encrypted AsyncStorage. Uninstalling the app deletes them.
Data that lives on our servers
We only create a server-side record once you do something that requires sync (joining a joint goal, paying for a plan, signing in for recovery, or earning referral credits). Even then, most records are keyed to an anonymous identifier and contain no personally identifiable information.
| Category | What it contains | When it's created |
|---|---|---|
| Anonymous user ID | A random UUID issued by our auth provider. Not linked to any identity until you sign in. | First app open |
| Subscription record | Tier (Plus/Family), expiry date, last payment reference | First paid subscription |
| Referral code & credits | Your shareable code (e.g. PP-XXXXXX), credits earned, device hash (anti-abuse) | First app open |
| Email address | The email you used at checkout or for recovery sign-in | First Razorpay payment, OR you sign in with Google / email-OTP |
| Phone number | The phone you entered at the Razorpay checkout sheet | First Razorpay payment |
| Joint goal data | Goal name, target, member IDs, contribution history (visible to all goal members only) | You create or join a joint goal |
| Cloud backup of your vault | An encrypted-at-rest snapshot of your local goal + day history | Only if you've signed in with Google or email. Anonymous users are never backed up. |
| Webhook event log | Internal record of Razorpay payment events (payment ID, amount, status). No card details. | Every successful payment |
What we do NOT collect
- Your location, contacts list, photos, calendar, or microphone audio
- Your card or bank account numbers — those go directly to Razorpay (PCI-DSS Level 1) and never touch our servers
- Your browsing or app usage outside Habstack
- Identifiers used for cross-app advertising tracking
3. Why we collect each piece (legal basis under DPDP)
| Data category | Purpose | Legal basis (DPDP) |
|---|---|---|
| Anonymous UID | Run the app, sync joint goals, attribute subscription | Performance of service |
| Email (Google / email-OTP) | Account recovery on reinstall | Consent (explicit, at sign-in) |
| Phone (Razorpay capture) | Payment processing & refund eligibility | Performance of contract |
| Vault cloud backup | Restore your data after uninstall | Consent (you opted in by signing in) |
| Referral code + device hash | Prevent referral farming abuse | Legitimate interest |
| Payment + webhook records | Subscription management, refunds, tax records | Performance of contract; legal obligation (tax) |
4. How long we keep it
- Anonymous UID and subscription state: for as long as your account is active. Deleted within 30 days of account deletion.
- Vault cloud backup: overwritten with each app save. Deleted within 30 days of account deletion.
- Email and phone: until you ask us to remove them, or 12 months after your last activity, whichever is earlier.
- Payment records: retained for 7 years to comply with Indian tax and audit law (Section 44AA of the Income Tax Act). Personal identifiers within payment records may be redacted on request.
- Referral records: 12 months after the last related activity, then deleted.
- Webhook event log: 90 days, then deleted.
5. Who we share your data with
We use the following sub-processors. We share only the minimum data each needs to do their job:
| Sub-processor | What they do | Data shared | Location |
|---|---|---|---|
| Supabase Inc. | Database, auth, edge functions | All server-side data above | India |
| Razorpay Software Pvt Ltd | Payment processing | Email, phone, payment amount | India |
| Google LLC | OAuth sign-in (only if you choose Google) | Email, basic profile (name, profile picture) | United States |
| Cloudflare Inc. | App update delivery (R2 storage) | App binary download requests (anonymous) | Global edge |
| Resend Inc. | Sending email magic-link sign-in and account recovery emails | Email address only | United States |
We do not share your data with advertisers, data brokers, or any third party for marketing purposes. We have never sold personal data and we never will.
We may share data with law enforcement or regulators if compelled by a valid Indian legal order, and only the minimum data required.
6. Your rights under the DPDP Act
India's Digital Personal Data Protection Act, 2023 gives you the following rights:
- Right to access: request a copy of the personal data we hold about you.
- Right to correction: ask us to correct inaccurate or outdated data.
- Right to erasure: ask us to delete your account and personal data (except records we are legally required to retain, such as tax records).
- Right to withdraw consent: withdraw consent for processing at any time. If we have no other legal basis to keep your data, we will delete it.
- Right of grievance redressal: raise complaints with our Grievance Officer (section 11) and, if unresolved, escalate to the Data Protection Board of India.
To exercise any right, email habstack.in@gmail.com with the subject "DPDP request". We will respond within 30 days as required by the Act.
You can also delete your account from inside the app: Settings → Delete my data. This wipes your local state and queues your server-side data for deletion within 30 days.
7. How we protect your data
- All data in transit uses TLS 1.2+ (HTTPS).
- Data at rest in Supabase is encrypted with AES-256.
- Database access is gated by row-level security policies — even our own server cannot read data outside the policy boundary.
- Payment data (card numbers, CVV, bank credentials) is processed by Razorpay, who hold PCI-DSS Level 1 certification. We never store this data.
- Multi-factor authentication is enforced on all internal admin accounts.
- Your local vault is encrypted by your PIN; we never know your PIN.
No system is 100% breach-proof. If we ever become aware of a personal data breach affecting you, we will notify you and the Data Protection Board of India within 72 hours, as required by the DPDP Act.
8. Children
Habstack is intended for users 18 years and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us their data, contact our Grievance Officer and we will delete the data promptly.
9. International transfers
Most of your data stays in India (Supabase India, Razorpay India). Some data is processed abroad by Google (OAuth, United States) and Cloudflare (global edge). The DPDP Act permits these transfers by default. If India later restricts transfers to specific countries, we will update this policy and notify you.
10. Changes to this policy
We may update this policy when we add new features or sub-processors. Material changes will be announced via an in-app banner and emailed to users with a bound email. The "Last updated" date at the top of this page always reflects the most recent change.
11. Grievance Officer & contact
As required by the DPDP Act, we have designated a Grievance Officer:
Habstack Grievance Officer
Email: habstack.in@gmail.com
Postal address: Maharashtra, India
Response window: within 30 days of receipt
If your concern is not resolved to your satisfaction, you may escalate to the Data Protection Board of India at dpdpa.gov.in once the Board is operational.