Privacy Policy

Arhbit (“we,” “us,” or “our”) operates the Arhbit mobile application (the “App”) and the website located at arhbit.com (the “Website”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our App and Website (collectively, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account information: When you create an account, we collect your name and email address. You may also sign in using Google or Apple, in which case we receive your name, email address, and profile identifier from those services.
Habit data: The names, descriptions, frequencies, and categories of habits you create within the App.
Completion data: Records of when you complete, skip, or miss habits, including timestamps and any notes you attach.
Accountability partner information: If you invite an accountability partner, we collect the email address you provide for that person. We send them transactional emails on your behalf.
Calendar data: If you connect your Google Calendar or Microsoft Calendar, we access your calendar solely to create catch-up events related to your accountability habits. We do not read, store, or access any of your existing calendar events.
Support communications: If you contact us for support, we collect the content of your messages along with your email address.

1.2 Information Collected Automatically

Device information: Device type, operating system version, and unique device identifiers for delivering push notifications.
Push notification tokens: If you enable notifications, we store a push notification token to send you habit reminders and accountability alerts.

1.3 Information We Do NOT Collect

We do not collect precise geolocation data.
We do not use analytics or advertising SDKs.
We do not track you across other apps or websites.
We do not sell, rent, or trade your personal data to third parties.
We do not use your data for advertising or ad targeting.

2. How We Use Your Information

We use the information we collect for the following purposes:

Providing the Service: To create and manage your account, track your habits, calculate streaks, generate heatmaps, and manage your companion.
Accountability features: To send progress reports and nudge emails to your designated accountability partner, and to schedule calendar events when habits go off track.
Notifications: To send you habit reminders, streak alerts, and accountability notifications that you have opted into.
Improving the Service: To understand how features are used and to fix bugs and improve performance.
Customer support: To respond to your inquiries and resolve issues.
Legal compliance: To comply with applicable laws, regulations, and legal processes.

3. How We Share Your Information

We do not sell your personal information. We share your information only in the following limited circumstances:

Accountability partners: If you add an accountability partner, we share your habit name, completion status, and streak information with them via email. You control which habits have accountability partners and can remove a partner at any time.
Service providers: We use the following third-party services to operate the App:
- Clerk (authentication) — processes your sign-in credentials. See Clerk's Privacy Policy.
- Convex (backend and database) — stores and processes your habit data. See Convex's Privacy Policy.
- Resend (email delivery) — sends transactional emails such as accountability reports. See Resend's Privacy Policy.
- Expo / EAS (push notifications and app distribution) — delivers push notifications to your device. See Expo's Privacy Policy.
Legal requirements: We may disclose your information if required to do so by law or in response to valid requests by public authorities.

4. Data Storage and Security

Your data is stored on servers operated by Convex, located in the United States.
Calendar OAuth refresh tokens are encrypted at rest using AES-256-GCM encryption before storage.
All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
We implement reasonable administrative, technical, and physical safeguards to protect your data. However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

5. Data Retention

Account data: We retain your account information and habit data for as long as your account is active.
Deleted accounts: When you delete your account, we delete all associated personal data within 30 days, except where we are required to retain it by law.
Accountability emails: Transactional emails sent through our email provider are retained according to the provider's retention policies and are not stored separately by Arhbit.

6. Your Rights and Choices

6.1 All Users

Access and portability: You can request a copy of your personal data at any time by contacting us at privacy@arhbit.com.
Correction: You can update your account information within the App at any time.
Deletion: You can delete your account and all associated data from within the App settings or by contacting us.
Notifications: You can disable push notifications at any time through your device settings or the App settings.
Calendar access: You can disconnect your calendar at any time from the App settings. We will delete the stored OAuth tokens immediately.
Accountability partners: You can remove accountability partners at any time, which immediately stops all data sharing with that person.

6.2 European Economic Area (EEA) Residents — GDPR

If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):

Legal basis for processing: We process your data based on (a) your consent (e.g., enabling notifications), (b) performance of a contract (providing the Service), and (c) our legitimate interests (improving the Service and preventing fraud).
Right to object: You may object to processing based on legitimate interests.
Right to restriction: You may request that we restrict processing of your data in certain circumstances.
Right to erasure: You may request deletion of your personal data.
Data portability: You may request your data in a structured, commonly-used, machine-readable format.
Supervisory authority: You have the right to lodge a complaint with your local data protection authority.

6.3 California Residents — CCPA / CPRA

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with specific rights:

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of your personal information.
Right to opt-out of sale: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
Non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at privacy@arhbit.com. We will respond within 45 days.

7. Children's Privacy

The Service is not directed to children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@arhbit.com.

8. International Data Transfers

Your information may be transferred to and processed in the United States, where our service providers operate. If you are located outside the United States, please be aware that data protection laws in the United States may differ from those in your jurisdiction. By using the Service, you consent to the transfer of your information to the United States.

For EEA residents, we ensure appropriate safeguards are in place for international transfers, including standard contractual clauses approved by the European Commission.

9. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services you access.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the App and on our Website, and by updating the “Last updated” date. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions or concerns about this Privacy Policy, please contact us:

Email: privacy@arhbit.com
General support: support@arhbit.com
Website: https://arhbit.com

12. Apple App Store and Google Play Additional Disclosures

12.1 Apple App Tracking Transparency

Arhbit does not track you across other companies' apps or websites. We do not participate in the Apple advertising ecosystem and do not use the IDFA (Identifier for Advertisers). The App does not request App Tracking Transparency permission because tracking is not performed.

12.2 Apple Privacy Nutrition Labels

The data we collect, as disclosed in the App Store privacy labels:

Contact Info (Email, Name): Used for account creation and app functionality. Linked to your identity.
Identifiers (User ID): Used for app functionality. Linked to your identity.

Data not collected: Location, health, fitness, financial, browsing history, search history, contacts, photos, audio, gameplay, advertising data, diagnostics.

12.3 Google Play Data Safety

As disclosed in the Google Play Data Safety section:

Data shared with third parties: None.
Data collected: Name, email address (account management and app functionality).
Data encrypted in transit: Yes.
Data deletion available: Yes. Users can request account and data deletion.