Privacy Policy

Last updated: February 14, 2026

HabitStable is a mobile application operated by Gürkan Gül ("Developer", "we", "us", and "our"), an independent software developer based in Istanbul, Turkey.

This Privacy Policy explains how we collect, use, disclose, and otherwise process personal information in connection with the HabitStable mobile application and any related online services (each a "Service" and collectively, the "Services").

We are committed to protecting your privacy and handling your personal data responsibly. By downloading, installing, or using HabitStable, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

1. Data Controller Information

The data controller responsible for your personal data is:

HabitStable

Operated by Gürkan Gül, Independent Software Developer

Address: Istanbul, Turkey

Email: tooloraio@gmail.com

As an independent developer, Gürkan Gül is personally responsible for the processing of your personal data in connection with HabitStable, in accordance with the European General Data Protection Regulation ("GDPR"), the Turkish Personal Data Protection Law No. 6698 ("KVKK"), and other applicable data protection laws.

2. Data Minimization Principle

We only collect personal information that is strictly necessary, relevant, and limited to what is required to provide and improve our Services. We do not collect excessive data beyond what is needed for the core functionality of the application.

3. Information We Collect

We may obtain information about you through your use of our Services. The categories of personal information we collect may vary based on the features being used:

3.1 Information You Provide to Us

Account Information: When you create an account, we may collect your name, email address, username, and profile information.
Habit Data: Information about your habits, goals, routines, and progress that you input into the application, including habit names, frequency, completion status, streaks, and notes. We treat all habit-related data with the highest level of confidentiality and use it solely for providing the Service to you.
Gamification Data: Information related to your in-app horse companion, achievements, rewards, levels, and other gamification elements.
Feedback and Communications: Any information you provide when you contact us for support, submit feedback, participate in surveys, or communicate with us via email or other channels. Any feedback you provide is voluntary and may be used by us to improve our Services.
Payment Information: If you purchase a subscription or in-app purchase, payment processing is handled entirely by third-party payment processors (Apple App Store or Google Play Store). We do not directly collect, process, or store your credit card, banking, or other financial information. We only receive confirmation of successful transactions and subscription status from these platforms.

3.2 Sensitive Data Disclaimer

HabitStable does not intentionally collect special categories of personal data (such as health data, biometric data, racial or ethnic origin, political opinions, religious beliefs, or data concerning sexual orientation).

However, depending on the habit names and notes you choose to enter (e.g., "take medication", "exercise", "meditation"), the information you input may indirectly relate to your health or well-being. Users are strongly advised not to input sensitive personal data into habit descriptions, notes, or any free-text fields within the application.

We do not proactively collect or require health-related or biometric data. All habit-related data you enter is processed solely for providing the Service to you and is never shared with third parties for profiling, marketing, or advertising purposes.

3.3 Information Collected Automatically

When you use our Services, we may automatically collect certain information, including:

Device Information: Device type, device model, operating system and version, unique device identifiers, device language, screen resolution, and mobile network information.
Usage Data: Information about how you interact with our application, including pages and features accessed, time and date of access, time spent on features, app opens, session duration, and navigation patterns.
IP Address: Your device's Internet Protocol address, which may be used to determine your approximate geographic location (country/city level).
Crash and Performance Data: Information about application crashes, errors, and performance metrics to help us improve the stability and quality of the application.
Advertising Identifiers: Such as Apple's IDFA or Google's Advertising ID, which are randomly generated identifiers that you can reset or disable through your device settings. These identifiers are only collected if you have granted permission through your device's tracking settings.

3.4 Application SDKs and Sub-Processors

Our application uses the following third-party software development kits (SDKs) for technical necessity. Each SDK may collect certain data as described below:

SDK / Service	Purpose	Data Collected
RevenueCat	Subscription management and payment verification	Device ID, app opens, purchase history, user identifier
Firebase Analytics (Google)	Usage analytics and app performance	Device info, app events, session data, OS version, country
Firebase Crashlytics (Google)	Crash reporting and error tracking	Device info, crash logs, stack traces, OS version
Firebase Cloud Messaging (Google)	Push notifications	Device token, message delivery data
Sentry	Error tracking and performance monitoring	Device info, error data, stack traces, breadcrumbs

This list will be updated as our technical infrastructure evolves. The data collected by each SDK is used solely for the stated purpose and is subject to the respective provider's privacy policy.

3.5 Information from Third-Party Services

We may receive information from third-party services that you choose to connect with our application:

Sign-in Services: If you choose to sign in using Apple Sign In, Google Sign In, or other third-party authentication providers, we may receive your name, email address, and unique user identifier from those services. We recommend reviewing the privacy policies of these providers before using their services.

4. How We Use Your Information

4.1 No Sale of Personal Information

HabitStable does not sell, rent, or trade your personal information to third parties for monetary consideration or for marketing or advertising purposes. We do not use your personal data for third-party advertising profiling outside the scope of our Services. Your specific habit data is never shared with advertising networks, data brokers, or any third party for their own commercial benefit.

4.2 Purposes of Processing

We use the information we collect for the following purposes:

Service Delivery and Operation

Providing, maintaining, and improving our Services.
Processing your habit tracking data and generating progress reports, statistics, and streak calculations.
Managing your account and providing customer support.
Operating the gamification features, including the horse companion system.
Processing transactions and managing subscriptions through third-party platforms.

Service Improvement

Analyzing aggregated and anonymized usage patterns to understand how our Services are used.
Conducting research and analysis to improve existing features and develop new ones.
Identifying and fixing bugs, errors, and performance issues.
Understanding user preferences and behaviors to enhance user experience.

Communication

Sending you important service-related notifications, such as updates, security alerts, and changes to our Terms or Privacy Policy.
Responding to your inquiries, feedback, and support requests.
Sending you promotional communications about new features or offers, only where you have opted in to receive such communications. You may opt out of promotional communications at any time.

Safety and Security

Detecting, preventing, and addressing fraud, abuse, security risks, and technical issues.
Protecting the rights, property, and safety of HabitStable, our users, and the public.
Enforcing our Terms of Service and other policies.

Legal Compliance

Complying with applicable laws, regulations, legal processes, or governmental requests.
Establishing, exercising, or defending legal claims.

4.3 Artificial Intelligence and Automated Features

If the application uses any artificial intelligence (AI) services or machine learning models (e.g., for personalized recommendations, insights, or the horse companion system), the following applies:

Any data sent to AI services is anonymized and stripped of personally identifiable information before transmission.
AI-generated content within the application (such as recommendations, motivational messages, or insights) is for informational and motivational purposes only and does not constitute professional advice of any kind.
We will clearly disclose which AI service providers are used in this Privacy Policy as such integrations are implemented.

Current AI service providers: None at this time. This section will be updated when AI integrations are added.

5. How We Share Your Information

We do not sell your personal information. We may share your information only in the following limited circumstances:

5.1 Third-Party Service Providers

We share your information with trusted third-party service providers who assist us in operating our Services, solely for the purposes described in Section 3.4. These providers are contractually obligated to process your data only on our behalf and in accordance with our instructions, and to maintain appropriate security measures.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or a government agency), including to:

Comply with a legal obligation, subpoena, or similar legal process.
Protect and defend the rights or property of HabitStable.
Prevent or investigate possible wrongdoing in connection with the Service.
Protect the personal safety of users of the Service or the public.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via in-app notification and/or email of any such change and any choices you may have regarding your information before the transfer takes effect.

6. Data Storage and Retention

6.1 Data Storage

Your habit data and application data are primarily stored locally on your device. Certain data may also be stored on our secure servers (hosted via reputable cloud providers such as Amazon Web Services, Google Cloud Platform, or similar) to enable features such as account synchronization, backup, and cross-device access.

We use industry-standard security measures to protect your data, including encryption in transit (TLS/SSL) and at rest.

6.2 Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with our Services.

If you delete your account, we will delete or anonymize your personal information within a reasonable period (generally 30 days), unless we are required to retain certain information for legal, regulatory, or legitimate business purposes. Backup copies may remain in secure, encrypted archives for up to 30 additional days before permanent deletion due to technical processes.

Automatically collected data (such as usage analytics) may be retained in aggregated, anonymized form for a longer period for analytical and statistical purposes, in a manner that does not identify individual users.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

7.1 Access and Portability

You have the right to request access to the personal information we hold about you and to receive a copy of your data in a structured, commonly used, and machine-readable format.

7.2 Correction

You have the right to request correction of inaccurate or incomplete personal information we hold about you.

7.3 Deletion (Account Deletion)

You have the right to request deletion of your personal information. You can delete your account directly through the application settings without any complex steps or requirement to send an email. The account deletion process is straightforward and accessible within the app.

Important notices regarding account deletion:

Deletion of your account is permanent and cannot be reversed. All personal data, habit history, gamification progress, and associated content will be irreversibly destroyed from our servers.
Deleting your account does not automatically cancel active subscriptions. You must separately cancel your subscription through the Apple App Store or Google Play Store subscription settings before or after deleting your account.
Backup copies may remain in secure, encrypted archives for up to 30 additional days before permanent deletion.
Anonymized and aggregated data that cannot be used to identify you may be retained for analytical purposes.

7.4 Restriction and Objection

You have the right to request restriction of processing of your personal information or to object to our processing of your personal information in certain circumstances.

7.5 Withdrawal of Consent

Where we rely on your consent for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

7.6 Opt-Out of Communications

You can opt out of receiving promotional communications by following the unsubscribe instructions included in such communications or by adjusting your notification settings within the application.

7.7 Device Permissions

You can control certain data collection through your device settings, such as disabling push notifications, revoking location access, or resetting/disabling your advertising identifier.

7.8 Right to Lodge a Complaint

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have the right to lodge a complaint with your local data protection supervisory authority if you believe that our processing of your personal data violates your rights under GDPR.

If you are located in Turkey, you have the right to lodge a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu — KVKK) if you believe your rights under KVKK have been violated.

7.9 Data Deletion via Uninstallation

You can stop all local data collection by uninstalling the application from your device. Note that uninstalling the app does not delete your server-side account data; you must delete your account through the app settings before uninstalling, or contact us to request deletion.

To exercise any of these rights, please contact us at the contact information provided in Section 16 of this Privacy Policy.

8. Automated Decision-Making and Profiling

We may use automated processing and analytics to generate progress statistics, streak calculations, habit completion rates, and personalized in-app recommendations (such as suggested habits or motivational content).

These automated processes do not produce legal effects or similarly significant effects on users. No decisions with legal or financial consequences are made solely based on automated processing of your data.

You have the right to object to automated decision-making and profiling under GDPR Article 22 and KVKK. To exercise this right, please contact us at the information provided in Section 16.

9. Data Security

We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption of data in transit using TLS/SSL.
Encryption of sensitive data at rest.
Regular security assessments and vulnerability scanning.
Access controls and authentication mechanisms.
Secure software development practices.
Regular backups with encrypted storage.
Monitoring systems for unauthorized access detection.

9.1 Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify affected users without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Notify the relevant supervisory authorities as required by applicable law (including GDPR Article 33 and KVKK Article 12).
Provide information about the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.

10. Tracking Transparency and Do Not Track

We honor device-level privacy settings, including Apple's App Tracking Transparency (ATT) framework. If you choose not to allow tracking through the ATT prompt, advertising identifiers (IDFA) will not be collected or used for cross-app tracking purposes.

For Android users, you can opt out of personalized advertising by adjusting your device's advertising settings or resetting your Google Advertising ID.

We respect "Do Not Track" (DNT) browser signals where applicable. When a DNT signal is detected, we will not engage in cross-site tracking activities.

11. Children's Privacy

Our Services are not directed to children under the age of 13 (or 16 in the European Economic Area). We do not knowingly collect personal information from children under these ages.

If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete such information promptly from our servers. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us so that we can take appropriate action.

12. Health and Medical Disclaimer

HabitStable is not a medical device, healthcare service, or health monitoring tool. The application is designed solely for personal productivity, motivation, and habit tracking purposes.

Habit reminders, notifications, streak tracking, and all other features are for informational and motivational purposes only and do not constitute medical, health, psychological, or professional advice.
HabitStable cannot be held responsible for any health issues, missed medications, or adverse outcomes arising from the application failing to send notifications, experiencing technical errors, or being unavailable.
If you track health-related habits (such as medication intake, exercise, or dietary habits), you should not rely solely on HabitStable for critical health management. Always consult qualified healthcare professionals for medical advice.
The gamification features (including the horse companion) are designed for motivational purposes only and do not provide clinical or therapeutic recommendations.

13. International Data Transfers

Your information may be transferred to and processed in countries other than the country in which you reside. These countries may have data protection laws that are different from the laws of your country.

When we transfer your information to other countries, we take appropriate safeguards to ensure that your personal information remains protected in accordance with this Privacy Policy and applicable data protection laws. For transfers from the European Economic Area (EEA), the United Kingdom (UK), or Turkey, we rely on appropriate legal mechanisms such as:

European Commission's Standard Contractual Clauses (SCCs).
Adequacy decisions by relevant authorities.
Other approved transfer mechanisms under applicable law.

14. Legal Basis for Processing (EEA, UK, and Turkey)

If you are located in the European Economic Area (EEA), the United Kingdom (UK), or Turkey, our legal basis for collecting and using your personal information depends on the type of information and the context in which we collect it:

Performance of a Contract: Processing necessary for the performance of our contract with you (i.e., providing the Services you requested).
Legitimate Interests: Processing necessary for our legitimate interests, such as improving our Services, ensuring security, and conducting analytics, provided that such interests are not overridden by your data protection rights.
Consent: Where you have given us your explicit consent to process your personal information for specific purposes, such as sending promotional communications or collecting advertising identifiers.
Legal Obligation: Processing necessary for compliance with a legal obligation to which we are subject.

15. KVKK (Turkish Data Protection Law) Notice

If you are a resident of Turkey, the following additional provisions apply under the Personal Data Protection Law No. 6698 ("KVKK"):

Data Controller: HabitStable, operated by Gürkan Gül, an independent software developer based in Istanbul, Turkey, acts as the data controller (veri sorumlusu) for your personal data.
Purpose of Processing: Your personal data is processed for the purposes outlined in this Privacy Policy, including providing and improving our Services, ensuring security, and complying with legal obligations.
Transfer of Data: Your personal data may be transferred domestically and internationally in accordance with Articles 8 and 9 of KVKK, with appropriate safeguards in place.
Your Rights under KVKK (Article 11): You have the right to:
- (a) Learn whether your personal data has been processed.
- (b) Request information about the processing if your data has been processed.
- (c) Learn the purpose of processing and whether your data is used in accordance with its purpose.
- (d) Know the third parties to whom your personal data is transferred domestically or abroad.
- (e) Request correction of incomplete or inaccurate data.
- (f) Request deletion or destruction of your personal data under the conditions set forth in Article 7 of KVKK.
- (g) Request notification of corrections, deletions, or destruction to third parties to whom your data has been transferred.
- (h) Object to any result that is against your interests arising from the analysis of your data exclusively through automated systems.
- (i) Claim compensation for damages arising from the unlawful processing of your personal data.

To exercise your rights under KVKK, you may submit a written request to us using the contact information provided in Section 18. We will respond to your request within 30 days in accordance with KVKK requirements.

16. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we have shared the information.
Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out: You have the right to opt out of the "sale" or "sharing" of your personal information. We do not sell or share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your California privacy rights, please contact us using the information provided in Section 18.

17. Third-Party Links, Services, and Cookies

Our Services may contain links to third-party websites, services, or applications that are not owned or controlled by HabitStable. This Privacy Policy does not apply to such third-party services. We are not responsible for the privacy practices of these third-party services and encourage you to review their privacy policies before providing any personal information.

Our mobile application may use local storage, caching, and similar technologies to store information about your preferences and usage patterns on your device. These technologies help us remember your settings, analyze usage patterns, and ensure the proper functioning of the application. You can manage these preferences through your device settings. Clearing the app data or cache will remove locally stored information.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by:

Posting the updated Privacy Policy within the application.
Sending you a push notification or in-app notification.
Updating the "Last updated" date at the top of this document.

Material changes will not reduce your rights under this Privacy Policy without your explicit consent.

Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the updated Privacy Policy, you should stop using the Services and delete your account.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

HabitStable

Operated by Gürkan Gül, Independent Software Developer

Address: Istanbul, Turkey

Email: tooloraio@gmail.com

For data protection inquiries specifically related to GDPR, KVKK, or CCPA, please include "Privacy Request" or "Data Protection" in the subject line of your email to ensure timely processing.

We will respond to all legitimate requests within 30 days. In exceptional circumstances, it may take us longer to respond, in which case we will notify you of the delay and the reasons for it.

This Privacy Policy is effective as of February 14, 2026.