GDPR & Data Protection
Last updated: January 2, 2026
Our Commitment to GDPR
Habitos is committed to protecting your personal data and respecting your privacy rights under the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and outlines your rights as a data subject.
Your Rights Under GDPR
As a user of Habitos, you have the following rights regarding your personal data:
Right to Access
You can request a copy of all personal data we hold about you.
Right to Portability
Export your data in a machine-readable format (JSON/CSV).
Right to Erasure
Request deletion of your personal data ("right to be forgotten").
Right to Rectification
Correct any inaccurate or incomplete personal data.
Right to Restrict
Limit how we process your personal data in certain circumstances.
Right to Object
Object to processing based on legitimate interests or direct marketing.
How to Exercise Your Rights
Export Your Data
Go to Settings → Account → Export Data to download all your personal data in JSON or CSV format.
Go to Settings →Delete Your Account
Go to Settings → Account → Delete Account to permanently delete all your data. This action is irreversible.
Go to Settings →Contact Us
For any other GDPR requests or questions, contact our Data Protection team:
Data We Collect
We collect and process the following categories of personal data:
| Category | Data Types | Purpose |
|---|---|---|
| Account Data | Email, username, password (hashed) | Authentication |
| Profile Data | Display name, avatar, bio | Personalization |
| Usage Data | Habits, completions, streaks | Core service |
| Payment Data | Transaction IDs (no card details) | Billing |
| Technical Data | IP address, device info, logs | Security & analytics |
Legal Basis for Processing
We process your personal data based on the following legal grounds:
- Contract: To provide our services as agreed in our Terms of Service
- Consent: For marketing communications and optional features
- Legitimate Interest: For security, fraud prevention, and service improvement
- Legal Obligation: To comply with applicable laws and regulations
Data Retention
We retain your personal data only for as long as necessary to provide our services and fulfill the purposes outlined in our Privacy Policy. When you delete your account, we permanently delete your data within 30 days, except where we are required by law to retain certain information.
Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit (TLS/SSL) and at rest
- Secure authentication with hashed passwords
- Regular security audits and monitoring
- Access controls and employee training
- Data hosted on secure, GDPR-compliant infrastructure
International Transfers
Your data may be processed in countries outside the European Economic Area (EEA). When we transfer data internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission.
Complaints
If you believe we have not handled your personal data properly, you have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can address your concerns directly.
Related policies: Privacy Policy • Cookie Policy • Terms of Service