Privacy Policy

Last updated: February 22, 2026

1. Data Controller

The controller of your personal data is:

Note: If you need to contact by postal mail or have specific legal inquiries, email us at the address above and we will provide the necessary information.

2. Information We Collect

We collect the following information when you use Quitchi:

  • Account information: email, name (if provided), unique user identifier (UUID)
  • Smoking-related data: date you quit smoking, daily number of cigarettes, tobacco price and currency. This data is voluntarily entered by you and is used exclusively to calculate your personal progress.
  • Usage and progress data: Quitchi pet progress level (stages, XP, mood), completed activities (self-care, motivation, relaxation), daily reflections, breathing exercises completed, games completed (Memory, Harmony), Greenhouse interaction history (questions, answers, votes), personalised wish lists, list of reasons to quit smoking, purchased and active pots, seeds earned based on your progress
  • Push notifications: if enabled, we store a device token (Firebase Cloud Messaging) to send you personalised reminders about milestones, breathing exercises and daily reflections
  • Technical information: device type, operating system, app version, session identifier, platform (iOS, Android, Web)
  • Analytics data: we use Firebase Analytics to understand how the app is used in aggregate and anonymous form. This includes navigation events, feature usage, app errors and session duration
  • Subscription and payment data: if you subscribe to Premium, we collect information about your subscription: RevenueCat transaction ID, purchase date, subscription type (monthly/yearly), entitlement status per RevenueCat, expiry date, purchase platform (App Store or Play Store). We do not store credit card data; this is handled directly by Apple or Google.

⚠️ Important notice: The data about your smoking habit that you enter into Quitchi is considered health-related data. Quitchi is NOT a medical application, does not perform diagnoses, and does not replace the advice of a healthcare professional. All information you provide is voluntary and is used solely to calculate personal progress statistics.

3. Legal Basis for Processing (GDPR)

In accordance with the General Data Protection Regulation (GDPR), we process your personal data under the following legal bases:

πŸ“‹ Contract performance (Art. 6.1.b GDPR)

The processing of your account and profile data is necessary to provide you with Quitchi service: calculate your progress, show statistics, and manage your account. For premium subscriptions, we process transaction and billing data necessary to manage your subscription and provide access to premium features.

βœ… Explicit consent (Art. 6.1.a and Art. 9.2.a GDPR)

Health-related data: We process data about your smoking habit (special category under Art. 9 GDPR) with your explicit consent, which you grant by accepting this policy and voluntarily entering such information in the application.

Push notifications: We only send notifications if you expressly enable them in settings.

Analytics: Firebase Analytics collects aggregated usage data with your consent when using the application.

πŸ”’ Legitimate interest (Art. 6.1.f GDPR)

We maintain security logs and apply protective measures to prevent fraud and ensure service security.

Withdrawal of consent: You can withdraw your consent at any time by deleting your account from Settings β†’ Delete my account, or by contacting us at contact@quitchi.com . Withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

4. How We Use Your Information

We use your information to:

  • Provide and maintain Quitchi service (progress calculation, account management, data synchronisation)
  • Calculate and display your personal progress statistics (days without smoking, money saved, cigarettes avoided, health improvements)
  • Personalise your experience in the app (activities recommended for your level, adapted reflections, relevant content)
  • Send you milestone notifications and reminders (if enabled): achievements, breathing exercises, daily reflections
  • Manage premium features (unlimited breathing exercises, wish lists and reasons with no limit, unlimited games, full Greenhouse access)
  • Improve our services and develop new features based on aggregated usage patterns
  • Communicate with you about important service updates, changes to terms or premium features
  • Ensure security and prevent service abuse (fraud detection, account protection, rate limiting)

5. Sharing Information

We do not sell or share your personal information with third parties for marketing purposes. We only share information in the following cases:

  • With your explicit consent
  • To comply with legal obligations
  • With service providers who help us operate the application (see section 6)

RevenueCat: Processes payments and manages premium subscriptions. RevenueCat acts as a data processor under its Data Processing Agreement (DPA) and only processes the information necessary to manage subscriptions.

6. International Data Transfers

Your data may be stored and processed by service providers located outside the European Economic Area (EEA):

  • Supabase: Database infrastructure and authentication. Servers are located in certified regions with appropriate security measures. View Supabase policy
  • Google/Firebase: For OAuth authentication, push notifications (Firebase Cloud Messaging) and analytics (Firebase Analytics). View Firebase policy
  • RevenueCat: For payment processing and premium subscription management. Servers are located in the United States with appropriate security measures. View RevenueCat policy

All international data transfers are protected through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data encryption in transit and at rest
  • Data Processing Agreements (DPA) with all providers

7. Data Retention Period

We retain your personal data for the following periods:

  • Account and profile data: While your account is active or as necessary to provide services to you. Includes: email, name, user preferences, notification settings.
  • Progress and statistics data: Until you request deletion or close your account. Includes: Quitchi level, progress statistics, completed activities, reflections, games played, pots and seeds.
  • Security logs: 12 months from generation (for legitimate security and fraud prevention interest)
  • Feedback and support data: 6 months from receipt or until you request deletion (period extended if there is an active support case)
  • Subscription and transaction data: While your account is active and as necessary to comply with legal and tax requirements. This includes: subscription history, transactions processed by RevenueCat, renewal dates. Transaction data is retained for at least 7 years as required by Spanish and European tax legislation.

After account deletion, all your identifiable personal data is completely removed from our systems within a maximum of 30 days, except: transaction data that must be retained for legal tax obligations (7 years), aggregated and anonymised data for statistical analysis (with no possibility of re-identification).

8. Data Security

We implement appropriate security measures to protect your personal information. We use encryption for data in transit and secure cloud storage through Supabase.

Security measures implemented:

  • TLS/SSL encryption for all communications
  • Row Level Security (RLS) in database
  • Rate limiting to prevent abuse
  • Secure authentication via Google OAuth or OTP code
  • Encrypted storage on mobile devices

9. Local Storage Technologies and Data Synchronisation

Quitchi uses a hybrid storage system to provide an optimal experience:

  • localStorage (Complementary Web Version):
    • Purpose: In the complementary web version (browser access), we temporarily store: user preferences, session tokens, reflection and activity state, cooldown times. Data is automatically synced with the database when connected.
    • Duration: Until you log out, delete your account, or clear browser data
    • Deletion: Automatic when logging out or manual from browser settings (Application β†’ Storage)
  • sessionStorage (Web Version):
    • Purpose: In the web version, to hold temporary data for the active session (navigation state, forms in progress)
    • Duration: Only while the tab/app is open
    • Deletion: Automatic when closing the tab or application
  • Capacitor Preferences (Main Mobile App - iOS/Android):
    • Purpose: Secure, encrypted storage on your mobile device for: Quitchi progress (level, XP, state), completed activities and their cooldowns, pending reflections, notification preferences, pots and seeds, authentication tokens. This data is automatically synced with Supabase when a connection is available. This is the main storage method for mobile app users.
    • Duration: Until you log out, delete your account, or uninstall the app
    • Deletion: Automatic when logging out, deleting account, or uninstalling the app from your device

⚠️ Important: We do not use third-party cookies for tracking or advertising. Storage technologies are used exclusively for the mobile application and to improve your experience. All sensitive data is encrypted both in transit (TLS/SSL) and at rest (database encryption). The web version is complementary and full premium features are primarily available in the mobile applications.

10. Your Data Protection Rights

Depending on your country of residence, you have specific rights regarding your personal data:

πŸ“‹ General Rights (all users)

  • Right of access: Request a copy of your personal data
  • Right of rectification: Correct incorrect or incomplete data
  • Right of erasure: Request deletion of your data
  • Right of portability: Obtain your data in a structured and readable format
  • Right to object: Object to processing of your data
  • Right to withdraw consent: At any time, without affecting the lawfulness of prior processing

πŸ‡ͺπŸ‡Ί Spain and European Union (GDPR)

If you reside in Spain or the European Union, your rights are protected by the General Data Protection Regulation (GDPR). You have an additional right to restriction of processing and to lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es

UK residents: Information Commissioner's Office (ICO) - ico.org.uk

πŸ‡ΊπŸ‡Έ United States

If you reside in the United States, your rights vary by state. California residents have rights under CCPA (see section 3). Other states may have additional privacy laws.

Federal Trade Commission (FTC): ftc.gov

πŸ‡¨πŸ‡¦ Canada (PIPEDA)

If you reside in Canada, your rights are protected by the Personal Information Protection and Electronic Documents Act (PIPEDA).

Office of the Privacy Commissioner of Canada: priv.gc.ca

πŸ‡¦πŸ‡Ί Australia (Privacy Act 1988)

If you reside in Australia, your rights are protected by the Privacy Act 1988 and the Australian Privacy Principles (APPs).

Office of the Australian Information Commissioner (OAIC): oaic.gov.au

🌎 Latin America

If you reside in Latin America, your rights are protected by your country's legislation:

  • πŸ‡²πŸ‡½ Mexico: Federal Law on Protection of Personal Data (LFPDPPP) - INAI: home.inai.org.mx home.inai.org.mx
  • πŸ‡¦πŸ‡· Argentina: Law 25.326 on Data Protection - AAIP: argentina.gob.ar/aaip argentina.gob.ar/aaip
  • πŸ‡¨πŸ‡΄ Colombia: Law 1581 of 2012 - SIC: sic.gov.co sic.gov.co
  • πŸ‡¨πŸ‡± Chile: Law 19.628 on Data Protection
  • πŸ‡΅πŸ‡ͺ Peru: Law 29733 on Data Protection - APDP
  • πŸ‡ΊπŸ‡Ύ Uruguay: Law 18.331 - URCDP: gub.uy/urcdp gub.uy/urcdp

11. How to Exercise Your Rights

To exercise any of the above rights, follow these steps:

  1. Send an email to {'contact@quitchi.com'} with the subject "Exercise of Data Protection Rights"
  2. Include your registered email address in Quitchi for verification
  3. Clearly specify which right you wish to exercise
  4. Provide any additional information that helps us process your request

Response time: We will respond to your request within a maximum of 30 days from receipt (45 days for CCPA requests).

πŸ’‘ Delete your account: You can delete your account directly from the app in Settings β†’ Delete my account. This will remove all your data within 30 days.

12. Right to Lodge a Complaint

If you are not satisfied with how we have handled your request or have concerns about our data management, you have the right to lodge a complaint with your local data protection authority.

Contact your country's authority:

  • πŸ‡ͺπŸ‡Έ Spain: AEPD - www.aepd.es
  • πŸ‡²πŸ‡½ Mexico: INAI - home.inai.org.mx
  • πŸ‡¦πŸ‡· Argentina: AAIP - argentina.gob.ar/aaip
  • πŸ‡¨πŸ‡΄ Colombia: SIC - sic.gov.co
  • πŸ‡¨πŸ‡± Chile: Personal Data Protection Agency - subtel.gob.cl
  • πŸ‡΅πŸ‡ͺ Peru: APDP (National Authority for Personal Data Protection) - gob.pe/pdp
  • πŸ‡ΊπŸ‡Ύ Uruguay: URCDP (Regulatory and Control Unit for Personal Data) - gub.uy/urcdp
  • πŸ‡§πŸ‡· Brazil: ANPD (National Data Protection Authority) - gov.br/anpd
  • πŸ‡¬πŸ‡§ United Kingdom: ICO (Information Commissioner's Office) - ico.org.uk
  • πŸ‡ΊπŸ‡Έ United States: FTC (Federal Trade Commission) - ftc.gov
  • πŸ‡¨πŸ‡¦ Canada: OPC (Office of the Privacy Commissioner) - priv.gc.ca
  • πŸ‡¦πŸ‡Ί Australia: OAIC (Office of the Australian Information Commissioner) - oaic.gov.au
  • Other countries: Contact the data protection authority in your country of residence

13. Minors

Quitchi is not directed at minors under 18 years of age. We do not intentionally collect information from minors. If we discover that we have collected data from a minor without parental consent, we will take steps to delete that information immediately.

14. Changes to this Policy

We may update this privacy policy occasionally to reflect changes in our practices or for legal, operational, or regulatory reasons.

We will notify you of any significant changes through:

  • A prominent notice in the application
  • Email to your registered address (for material changes)
  • Update of the "Last updated" date at the top of this document

We recommend reviewing this policy periodically. Continued use of the application after changes constitutes your acceptance of the updated policy.

15. Contact

For any inquiries about this Privacy Policy, exercise of rights, or concerns about the protection of your data, contact us:

We commit to responding to all inquiries within 30 days. For urgent requests, please indicate this in the email subject.