Privacy Policy

Last updated: May 18, 2026

1. Data Controller

The controller of your personal data is:

  • Controller: Quitchi
  • Owner: Individual
  • Country: Spain (international operations)
  • Contact email: contact@quitchi.com

Note: If you need to contact us by postal mail or have specific legal inquiries, please email us at the address above and we will provide the necessary information.

2. Information We Collect

We collect the following information when you use Quitchi:

  • Account information: email, name (if provided), unique user identifier (UUID)
  • Smoking-related data: date you quit smoking, daily number of cigarettes, tobacco price and currency. This data is voluntarily entered by you and is used exclusively to calculate your personal progress.
  • Usage and progress data: Quitchi pet progress level (stages, XP, mood), completed activities (self-care, motivation, relaxation), daily reflections, breathing exercises completed, games completed (Memory, Armonia), Greenhouse interaction history (questions, answers, votes), custom wish lists, reasons to quit smoking list, pots purchased and active, seeds earned based on your progress
  • Push notifications: if you enable them, we store a device token (Firebase Cloud Messaging) to send you personalised reminders about milestones, breathing exercises and daily reflections
  • Technical information: device type, operating system, app version, session identifier, platform (iOS, Android, Web)
  • Analytics data: we use Firebase Analytics to understand how the application is used in aggregate and anonymous form. This includes navigation events, feature usage, application errors and session duration
  • Subscription and payment data: if you subscribe to Premium, we collect information about your subscription: RevenueCat transaction ID, purchase date, subscription type (monthly/yearly), entitlement status according to RevenueCat, expiry date, purchase platform (App Store or Play Store). We do not store credit card data; these are handled directly by Apple or Google.

Important notice: The data about your smoking habits that you enter into Quitchi is considered health-related data. Quitchi is NOT a medical application, does not perform diagnoses, and does not replace the advice of a healthcare professional. All information you provide is voluntary and is used solely to calculate personal progress statistics.

3. Legal basis and grounds for processing

We process your personal data in accordance with applicable data protection laws in the countries where we operate, including frameworks such as GDPR and equivalent local laws:

Service performance

The processing of your account and profile data is necessary to provide you with the Quitchi service: calculate your progress, show statistics and manage your account. For premium subscriptions, we process transaction and billing data necessary to manage your subscription and provide you with access to premium features.

Consent

Health-related data: We process data about your smoking habits (when local law treats it as sensitive data) with your explicit consent, which you give by accepting this policy and voluntarily entering such information in the application.

Push notifications: We only send notifications if you expressly enable them in settings.

Analytics: Firebase Analytics collects aggregated usage data with your consent when using the application.

Legitimate interest and security

We maintain security logs and apply protective measures to prevent fraud and ensure service security.

Withdrawal of consent: You can withdraw your consent at any time by deleting your account from Settings → Delete my account, or by contacting us at contact@quitchi.com . Withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.

4. How We Use Your Information

We use your information to:

  • Provide and maintain the Quitchi service (progress calculation, account management, data synchronisation)
  • Calculate and display your personal progress statistics (days smoke-free, money saved, cigarettes avoided, health improvements)
  • Personalise your experience in the application (activities recommended for your level, tailored reflections, relevant content)
  • Send you milestone notifications and reminders (if enabled): achievements, breathing exercises, daily reflections
  • Manage premium features (unlimited breathing exercises, unlimited wish and reason lists, unlimited games, full Greenhouse access)
  • Improve our services and develop new features based on aggregated usage patterns
  • Communicate with you about important service updates, changes to terms or premium features
  • Ensure security and prevent service abuse (fraud detection, account protection, rate limiting)

5. Sharing Information

We do NOT sell or share your personal information with third parties for marketing purposes. We only share information in the following cases:

  • With your explicit consent
  • To comply with legal obligations
  • With service providers who help us operate the application (see section 6)

RevenueCat: Processes payments and manages premium subscriptions. RevenueCat acts as a data processor according to its Data Processing Agreement (DPA) and only processes information necessary to manage subscriptions.

6. International Data Transfers

Your data may be stored and processed by service providers located outside the European Economic Area (EEA):

  • Supabase: Database infrastructure and authentication. Servers are located in certified regions with appropriate security measures. View Supabase policy
  • Google/Firebase: For OAuth authentication, push notifications (Firebase Cloud Messaging) and analytics (Firebase Analytics). View Firebase policy
  • RevenueCat: For payment processing and premium subscription management. Servers are located in the United States with appropriate security measures. View RevenueCat policy

All international data transfers are protected through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data encryption in transit and at rest
  • Data Processing Agreements (DPA) with all providers

7. Data Retention Period

We retain your personal data for the following periods:

  • Account and profile data: While your account is active or as necessary to provide services to you. Includes: email, name, user preferences, notification settings.
  • Progress and statistics data: Until you request deletion or close your account. Includes: Quitchi level, progress statistics, completed activities, reflections, games played, pots and seeds.
  • Greenhouse (community) data: Questions and answers you post in Greenhouse are retained while your account is active. You can delete your own posts at any time from the application. When you delete your account, your posts are deleted or anonymised according to your preference.
  • Security logs: 12 months from generation (for legitimate interest in security and fraud prevention)
  • Feedback and support data: 6 months from receipt or until you request deletion (period extends if there is an active support case)
  • Subscription and transaction data: While your account is active and as necessary to comply with applicable legal, tax, and accounting requirements. This includes: subscription history, transactions processed by RevenueCat, and renewal dates. We retain transaction data for the period required by applicable law in each relevant jurisdiction.
  • Local cache (Capacitor/localStorage): Data stored locally on your device persists until you: log out, delete your account, uninstall the application, or clear browser data manually. This data is used to improve performance and allow offline use.

After deletion of your account, all your identifiable personal data is completely removed from our systems within a maximum of 30 days, except: transaction data that must be retained for tax legal obligation (7 years), aggregated and anonymised data for statistical analysis (with no possibility of re-identification).

8. Data Security

We implement appropriate security measures to protect your personal information. We use encryption for data in transit and secure cloud storage through Supabase.

Security measures implemented:

  • TLS/SSL encryption for all communications
  • Row Level Security (RLS) in database
  • Rate limiting to prevent abuse
  • Secure authentication via Google OAuth or OTP code
  • Encrypted storage on mobile devices

9. Local Storage Technologies and Data Synchronisation

Quitchi uses a hybrid storage system to provide an optimal experience:

  • localStorage (Complementary Web Version):
    • Purpose: In the complementary web version (browser access), we temporarily store: user preferences, session tokens, reflection and activity state, cooldown times. Data is automatically synced with the database when a connection is available.
    • Duration: Until you log out, delete your account or clear browser data
    • Deletion: Automatic when logging out or manual from browser settings (Application → Storage)
  • sessionStorage (Web Version):
    • Purpose: In the web version, keep temporary data for the active session (navigation state, forms in progress)
    • Duration: Only while the tab/app is open
    • Deletion: Automatic when closing the tab or application
  • Capacitor Preferences (Main Mobile App - iOS/Android):
    • Purpose: Secure, encrypted storage on your mobile device for: Quitchi progress (level, XP, state), completed activities and their cooldowns, pending reflections, notification preferences, pots and seeds, authentication tokens. This data is automatically synced with Supabase when a connection is available. This is the primary storage method for mobile app users.
    • Duration: Until you log out, delete your account or uninstall the application
    • Deletion: Automatic when logging out, deleting account or uninstalling the app from your device

Important: We do not use third-party cookies for tracking or advertising. Storage technologies are used exclusively for the operation of the mobile application and to improve your experience. All sensitive data is encrypted both in transit (TLS/SSL) and at rest (database encryption). The web version is complementary and full premium features are primarily available on the mobile applications.

10. Your Data Protection Rights

You have rights over your personal data regardless of your country of residence. Additional rights may apply depending on your local law:

General Rights (all users)

  • Right of access: Request a copy of your personal data
  • Right of rectification: Correct inaccurate or incomplete data
  • Right of erasure: Request deletion of your data
  • Right of data portability: Obtain your data in a structured and readable format
  • Right to object: Object to processing of your data
  • Right to withdraw consent: At any time, without affecting the lawfulness of prior processing

Additional rights by region

If your local law grants additional rights (for example, restriction rights, expanded objection rights, or specific appeal mechanisms), we will honor them when applicable to your request.

Competent supervisory authority

You may lodge a complaint with the data protection or consumer authority in your place of residence. If you are unsure which authority applies, contact us and we will help you identify it.

11. How to Exercise Your Rights

To exercise any of the above rights, follow these steps:

  1. Send an email to contact@quitchi.com with the subject "Exercise of privacy rights"
  2. Include your registered email address in Quitchi for verification
  3. Clearly specify which right you wish to exercise
  4. Provide any additional information that helps us process your request

Response time: We will respond within the timeframe required by applicable law and, where no specific legal deadline applies, within a maximum of 30 days from receipt.

Delete your account: You can delete your account directly from the app in Settings → Delete my account. This will remove all your data within 30 days.

12. Right to Lodge a Complaint

If you are not satisfied with how we handled your request or you have concerns about our data practices, you may lodge a complaint with the competent authority in your place of residence.

Available options:

  • Submit a complaint to the local data protection or consumer authority that applies in your jurisdiction.
  • You may also contact us first so we can try to resolve the issue amicably and guide you to the appropriate authority.

13. Minors

Quitchi is not directed at minors under 18 years of age. We do not intentionally collect information from minors. If we discover that we have collected data from a minor without parental consent, we will take steps to delete that information immediately.

14. Changes to this Policy

We may update this privacy policy occasionally to reflect changes in our practices or for legal, operational, or regulatory reasons.

We will notify you of any significant changes through:

  • A prominent notice in the application
  • Email to your registered address (for material changes)
  • Update of the "Last updated" date at the top of this document

We recommend reviewing this policy periodically. Continued use of the application after changes constitutes your acceptance of the updated policy.

15. Contact

For any inquiries about this Privacy Policy, exercise of rights, or concerns about the protection of your data, contact us:

  • Controller: Quitchi
  • Email: contact@quitchi.com
  • Country: International operations (main establishment in Spain)

We commit to responding to all inquiries within 30 days. For urgent requests, please indicate this in the email subject.