Xen Daily Habits Privacy Policy

Effective date

Jun 18, 2025

App covered

Xen Habits on iOS, Android, web

Data controller

CuriousCrafts SAS, CR 19 #25-50, Colombia

Contact / DPO

privacy@curiouscrafts.com.co

Category: Account data

Examples: Email, display name, Apple ID / Google ID

Collected when: Sign-up

Category: Habit entries

Examples: Habit title, target, completion history

Collected when: User inputs or auto-sync

Category: Device data

Examples: Device model, OS version, language

Collected when: App launch

Category: Analytics IDs

Examples: Firebase Installation ID, GAID (Android), IDFV (iOS)

Collected when: First run

Category: Optional data

Examples: HealthKit/Google Fit steps

Collected when: User opts-in

1. Sync & back-up habits across devices.
2. Analytics & crash diagnostics to improve stability.
3. Optional marketing if you tick the marketing box.
4. Compliance with legal obligations and fraud prevention.

Purpose: Account creation & sync

Basis: Contract Art. 6(1)(b)

Purpose: Analytics & security

Basis: Legitimate interest Art. 6(1)(f)

Purpose: Marketing e-mail

Basis: Consent Art. 6(1)(a) – revocable any time

Purpose: Data retention for tax

Basis: Legal obligation Art. 6(1)(c)

We never sell personal data. We share it only with:

Recipient: Cloud host “Digital Ocean”

Reason: Database & file storage

Safeguard: Standard Contractual Clauses (EU)

Recipient: Firebase Analytics / Crashlytics

Reason: Usage metrics, crash logs

Safeguard: Anonymised where possible

Recipient: Apple HealthKit / Google Fit

Reason: Optional habit automation

Safeguard: Data stays on device unless you enable sync

If we move data outside your jurisdiction, we rely on:

• EU-US Data Privacy Framework or SCCs for EU/EEA users.
• LGPD-compliant contractual clauses for Brazilian users.
• Adequacy decisions or equivalent safeguards elsewhere.

Data: Active account data

Retention trigger: Last login

Retention period: Until user deletes account + 30 days

Data: Analytics logs

Retention trigger: Creation

Retention period: 24 months, then aggregated

Data: Crash dumps

Retention trigger: Crash date

Retention period: 90 days

• Access, rectification, deletion, portability (GDPR Arts. 15-20; LGPD Arts. 18-22; Colombia Law 1581 Art. 8)
• Withdraw consent at any moment.
• Opt-out of “sale or share” (California CPRA).
  Submit requests via Settings → Privacy → Request Data or e-mail.

We do not knowingly collect data from users under 16 (or lower age allowed by local law).
If you are under the minimum age, use the app offline only—do not create an account. Parents may request deletion via e-mail.

• End-to-end TLS for all traffic.
• At-rest encryption LUKS (Linux Unified Key Setup) on our servers.
• Role-based staff access; quarterly audits.

Inside the app: Settings → Delete Account instantly removes your cloud data and sign-in tokens; local device data is erased at next launch. We confirm deletion by e-mail within 14 days.

We do not use web cookies. The app stores a Firebase Installation ID (Android) or IDFV (iOS) for analytics; it is resettable from Settings. We request ATT permission before accessing IDFA.

We’ll post any update here at least 7 days before it takes effect. Major changes (e.g., new data types) will trigger an in-app notice.

Data Protection Officer
Orlando Rincón
privacy@curiouscrafts.com.co