Legal
Privacy Policy
Last updated: May 19, 2026 · Effective: May 19, 2026
Overview
Habitask is a personal productivity app that helps you manage tasks, track habits, and stay organized. This Privacy Policy explains what information we collect when you use the Habitask mobile application, why we collect it, how we store and protect it, and the choices you have over your data.
By creating an account or using Habitask, you agree to the practices described in this policy. If you do not agree, please do not use the app.
The short version: We collect only what we need to run the app. We do not sell your data, serve you ads, or use third-party analytics. Your tasks, habits, and journal entries belong to you.
Data Controller
Yacine Elkeikeli, operating under Petala Noar
Contact: petalanoar.support@gmail.com
Information We Collect
Account information
When you create an account we collect:
- Full name
- Email address
- Password — stored as a cryptographic hash only; we never store your plain-text password
If you sign in with Google or Apple, we receive your name and email address from those providers. We do not receive your Google or Apple password.
Content you create
- Tasks — titles, descriptions, due dates, priorities, status, and repeat schedules
- Habits — names, descriptions, types, frequencies, and completion history
- Projects and folders — names, colors, and icons
- Notes — titles and text content
- Journal entries — text content and mood ratings
- Tags — names and colors
- Task attachments — photos or links you attach to tasks (stored locally on your device only; never uploaded to our servers)
Technical information
- Device timezone — used to schedule reminders at the correct local time
- Authentication token — a JWT stored locally on your device to keep you signed in
What we do not collect
- Location data
- Device advertising identifiers (IDFA, IDFV)
- Browsing history or cross-app tracking data
- Crash reports or diagnostic telemetry
- Any form of usage analytics
How We Use Your Information
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Create and manage your account | Name, email, password hash | Performance of contract |
| Verify your email at sign-up | Email, 6-digit code | Performance of contract |
| Store and sync your tasks, habits, and notes | All content you create | Performance of contract |
| Send local reminders and notifications | Task/habit titles and scheduled times | Performance of contract / Consent |
| Sync tasks to Apple Calendar (if you enable it) | Task title, description, due date | Consent |
| Keep you signed in across sessions | JWT stored on device | Performance of contract |
| Export your data on request | All content you created | Legal obligation / Consent |
| Respond to support requests | Email, message you send us | Legitimate interest |
We do not sell your personal data.
We do not use your data for advertising or marketing.
We do not share your data with third parties except as described below.
Data Storage & Security
On your device
Habitask stores a local copy of all your data in an SQLite database on your device. This allows the app to work fully offline. The database is protected by your device's built-in storage security (iOS data protection). Task photo attachments are stored only locally and are never uploaded to our servers.
On our servers
Your account information and app content are stored on servers provided by Supabase, Inc., a SOC 2 compliant cloud infrastructure provider. All data is transmitted over HTTPS (TLS encryption in transit).
Passwords
Passwords are hashed using bcrypt with a cost factor of 12 before storage. We cannot recover or read your plain-text password.
Authentication tokens
Your sign-in token (JWT) is stored in your device's local storage. It expires after 30 days. Signing out clears it immediately.
Verification codes
Email verification codes are 6 digits long, single-use, and expire after 15 minutes.
Rate limiting
Authentication endpoints enforce rate limiting to prevent brute-force attacks (maximum 5 attempts per hour per IP address).
Third-Party Services
We rely on the following third-party services to operate Habitask. Each is a data processor acting on our behalf:
Supabase, Inc.
Purpose: Cloud database and authentication infrastructure.
Data shared: Your account information (name, email, hashed password) and all content you create.
Privacy policy: supabase.com/privacy
Resend, Inc.
Purpose: Transactional email delivery — verification codes only.
Data shared: Your name and email address, used solely to send the verification email.
Privacy policy: resend.com/legal/privacy-policy
Google LLC (Google Sign-In)
Purpose: Optional OAuth sign-in.
Data shared: If you choose "Sign in with Google," Google shares your name, email, and Google account ID with us. We do not share Habitask data back to Google.
Privacy policy: policies.google.com/privacy
Apple Inc. (Sign in with Apple)
Purpose: Optional OAuth sign-in.
Data shared: If you choose "Sign in with Apple," Apple shares your name and email (or a private relay email) on first sign-in only. Subsequent sign-ins share only your Apple ID.
Privacy policy: apple.com/legal/privacy
Apple Calendar (EventKit)
Purpose: Optional calendar integration.
Data shared: If you enable Apple Calendar Sync, task titles, descriptions, and due dates are written to a dedicated "Habitask" calendar on your device. This data stays on your device and in your iCloud — it is not sent to our servers.
We do not use advertising networks, analytics platforms (e.g., Firebase, Mixpanel, Amplitude), or crash-reporting services.
Device Permissions
| Permission | Why we need it | Required? |
|---|---|---|
| Notifications | To send you local reminders for tasks and habits. All notifications are generated on your device — nothing passes through a remote push server. | Optional |
| Calendars (Full Access) | To create and update task events in a "Habitask" calendar in your Apple Calendar app. | Optional |
| Photo Library / Camera | To let you attach photos to tasks. Photos are stored only on your device and are never uploaded to our servers. | Optional |
You can revoke any permission at any time in your device's Settings app without affecting unrelated features.
Data Retention
- Active accounts: We retain your data for as long as your account is active.
- Verification codes: Expire after 15 minutes and are invalidated after first use.
- Incomplete sign-ups: Accounts that were never verified are deleted automatically.
- After deletion: We delete your account and all associated data within 48 hours. Data may remain in encrypted backups for up to 30 days before those backups expire.
- Local data: Data stored on your device (SQLite database, attachments) is not deleted by us when your account is deleted. Uninstalling the app removes all local data from your device.
Your Rights
Depending on where you live, you may have the following rights. To exercise any of them, contact us at petalanoar.support@gmail.com.
- Access: Request a copy of the personal data we hold about you.
- Correction: Update your name and email directly in the app (Settings → Email), or contact us for other corrections.
- Deletion: Request deletion of your account and all associated data. We process it within 48 hours.
- Data portability: Export all your tasks, habits, and projects as a CSV file at any time from Settings → Export data.
- Withdraw consent: Disable optional features (notifications, calendar sync) at any time in Settings. This does not affect processing that already occurred.
- No marketing emails: We only send transactional emails (verification codes). There are no marketing emails to unsubscribe from.
EU / EEA residents (GDPR): You also have the right to object to processing, restrict processing, and lodge a complaint with your local data protection authority.
California residents (CCPA / CPRA): You have the right to know what personal information is collected, to delete it, to opt out of sale (we do not sell data), and to non-discrimination for exercising these rights.
International Data Transfers
Habitask uses Supabase for data storage. Supabase may store and process your data in data centers located outside your country of residence, including the United States and the European Union. If you are in the EEA or UK, such transfers are conducted in accordance with applicable data protection laws, relying on standard contractual clauses or other lawful transfer mechanisms where required.
Children's Privacy
Habitask is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, contact us at petalanoar.support@gmail.com and we will delete that information promptly.
Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where feasible, notify you through the app. Continued use of Habitask after changes are posted constitutes your acceptance of the revised policy.
Questions?
If you have any questions about this Privacy Policy or want to exercise any of your rights, reach out directly.
petalanoar.support@gmail.com