Privacy Policy
This Privacy Policy explains how Ludosati SL ("Ludosati", "we", "us" or "our") processes personal data in connection with the Spend Your Habits mobile application (available on the Apple App Store and Google Play, and built with Expo/React Native) and the marketing and support website at https://spendyourhabits.com (together, the "Service").
We have written this policy to comply with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and Spanish data-protection law, and to be as transparent as possible about what we do and (just as importantly) what we do not do. Spend Your Habits is a gamified habit tracker: completing self-defined habits earns virtual coins, which you spend on self-defined personal rewards. The coins are virtual only and have no monetary value.
1. Who we are
The controller responsible for the processing of your personal data is:
- Ludosati SL, a Spanish limited company (sociedad limitada)
- Registered office: Calle De Valverde 17, 3C, 28004 Madrid, Spain
- NIF: B19831650
- Company registry: Registro Mercantil de Madrid, Hoja M-826660, Inscripción 1ª
Our full company identification and corporate contact details are set out on the Legal Notice page of our website.
To exercise your privacy rights, ask us a question, or send us a complaint about how we handle your data, please use the forms on our Support page: the contact form for general enquiries and the data-deletion request form for erasure requests. We have deliberately designed this policy so that you never need an email address to reach us: the Support page forms are the single point of contact for all privacy matters.
2. Scope of this policy
This policy covers:
- Your use of the Spend Your Habits mobile app on iOS and Android; and
- Your use of the spendyourhabits.com website, including its contact, data-deletion and waitlist forms and its AI support chat.
The website is available in English at the root and in Spanish under the /es path. Language selection is expressed through the URL and is not stored.
This policy does not cover third-party services that you may choose to use in connection with the Service and that act as independent controllers, for example the Apple App Store, Google Play, or the identity providers you may use to sign in (Google, Apple). Their own privacy policies govern their processing. Where those parties act as our processors, they are covered here (see Section 5).
3. Data we process
We divide this section into (a) data processed when you visit the website, and (b) data processed when you use the app. The app is local-first: your device database remains authoritative, while an automatic whole-database cloud snapshot provides backup after account creation.
3.1 Website visitors
(a) Contact form and data-deletion request form. When you submit either form, we process the name, email address and message text you provide. These submissions are delivered to our support inbox by Resend, Inc. (a US email-delivery processor), with the reply-to address set to the address you provided so we can respond to you. We use this data to answer your enquiry or to process your deletion request. Deletion requests are reviewed and actioned by a human being (there is no automated deletion pipeline) within the statutory GDPR period (one month, extendable in accordance with Article 12(3) GDPR where a request is complex or where we receive numerous requests).
(b) Waitlist form. If you join our waitlist, we process only your email address, which is stored in a Google Sheets spreadsheet (with Google acting as our processor). We use it solely to send you launch and early-access news. We do not currently send a confirmation email. You can withdraw at any time using the data-deletion form on the Support page.
(c) AI support chat. Our website offers an AI chat assistant to answer product questions and provide demo coaching. When you use it, the messages you type are sent verbatim to EUrouter (an EU-hosted AI gateway at api.eurouter.ai that processes the data within the EU/EEA with data minimisation), together with your interface language and the assistant tone you have selected. Please treat this chat as a general product-help tool and do not enter sensitive personal data (for example health, religious or similar special-category information) into it. To limit abuse, we apply per-IP usage caps of 20 messages per day and 50 per week.
(d) Bot protection: Cloudflare Turnstile. All of our forms and the AI chat are protected against automated abuse by Cloudflare Turnstile (provided by Cloudflare, Inc., US). To perform its bot-detection challenge, Cloudflare receives your IP address and a challenge token. The Turnstile widget is the only third-party script on the site, and it may set strictly necessary Cloudflare cookies or tokens for this purpose (see Section 13).
(e) Security and abuse prevention. We read IP addresses from request headers to apply per-IP rate limiting. This rate-limit data is held in memory, is short-lived (roughly a rolling week at most) and is not used to build any profile of you. IP addresses and form-submission events also appear in the server logs of our hosting provider Vercel Inc. (US). We additionally use honeypot and timing fields (non-identifying) to screen out bots.
(f) No analytics, advertising or tracking on the website. The website itself sets no cookies of its own and uses no localStorage. There is no web analytics, no advertising and no cross-site tracking. Fonts are self-hosted, so your browser makes no runtime requests to external font services. Language selection is expressed in the URL (/es) and is not stored.
3.2 App users
(g) Local-first by design. Your habits, completions, streaks, coin ledger, rewards and history are stored in an authoritative local database on your device. After you create an account, the App automatically sends an encrypted-in-transit snapshot of that whole database to our backup provider. Ludosati does not operate a row-by-row product database or routinely inspect the content of your backup. Please note honestly that habit names and content are free text that you define, and could indirectly reveal information about your lifestyle or wellbeing. Spend Your Habits is a self-improvement tool and not a medical service or a source of medical advice.
(h) Account and automatic cloud backup. An account is required to use the App. We support authentication via email and password, Google sign-in or Apple sign-in. After account creation, an encrypted-in-transit, whole-database snapshot of your on-device data is stored automatically with Supabase (Postgres hosting) as our processor. The backup is a copy of the authoritative on-device database. If you delete your account, the backup is deleted with it.
(i) Purchases and subscriptions. If you choose to subscribe, subscriptions are purchased through the Apple App Store or Google Play. Entitlement status is managed for us via RevenueCat, Inc. (US). We receive purchase and entitlement metadata (such as product identifier, store transaction identifiers and entitlement state), but never your full payment card details. Apple and Google handle the payment itself.
(j) App diagnostics and usage. When these features ship, we will use Sentry for crash reporting (diagnostics and stack traces) and TelemetryDeck (EU-based) for privacy-focused product analytics based on a random per-install identifier that is not tied to your name or email. Affiliate install attribution may be processed via InsertAffiliate in connection with RevenueCat webhooks.
(k) In-app AI assistant. When it ships, the in-app assistant will be menu-driven (no free-text chat), processed by an EU-hosted AI provider with data minimisation. This is a distinct service from the website AI chat described in Section 3.1(c).
(l) Notifications. Reminders are scheduled locally on your device only. We use no push-notification service and generate no push tokens.
(m) No advertising or tracking in the app. The app contains no ads, uses no advertising identifiers (no IDFA or GAID) and performs no cross-app tracking. Because nothing in the app tracks you, no App Tracking Transparency prompt is required. The app requests no operating-system permissions: no access to your camera, location, contacts, microphone or photos.
3.3 Summary table
| Flow | Data categories | Processor(s) | Where |
|---|---|---|---|
| Contact / deletion form | Name, email, message | Resend (email delivery) | Website |
| Waitlist | Google (Sheets) | Website | |
| AI support chat | Chat messages, interface language, tone | EUrouter (EU-hosted AI gateway) | Website (EU) |
| Bot protection | IP address, challenge token | Cloudflare Turnstile | Website |
| Security / rate limiting | IP address, submission events | Vercel (logs) | Website |
| Local app data | Habits, completions, streaks, coins, rewards, history | None (on device) | Your device |
| Account + automatic backup | Login identifier, database snapshot | Supabase | Cloud |
| Purchases (optional) | Purchase/entitlement metadata | RevenueCat, Apple, Google | App/Store |
| Diagnostics (when shipped) | Crash data, per-install analytics id | Sentry, TelemetryDeck | App |
| Affiliate attribution | Attribution metadata | InsertAffiliate | App |
4. Purposes and legal bases
We only process personal data where we have a lawful basis under Article 6(1) GDPR. The table below maps each purpose to its basis.
| Purpose | Legal basis |
|---|---|
| Answering your contact enquiries | Article 6(1)(b) (steps at your request / performance of a contract) and, where you are not yet a customer, our legitimate interest in responding (Art. 6(1)(f)) |
| Processing data-deletion requests | Article 6(1)(c) (legal obligation to honour your rights) |
| Sending waitlist / launch news | Article 6(1)(a) (consent), withdrawable at any time |
| Operating the AI support chat | Article 6(1)(a) (consent, given by your choosing to send a message) |
| Providing the app and account features | Article 6(1)(b) (performance of a contract) |
| Automatic cloud backup | Article 6(1)(b) (performance of a contract) |
| Purchases and subscriptions | Article 6(1)(b) (performance of a contract) |
| Keeping commercial and tax records for purchases | Article 6(1)(c) (legal obligation) |
| Security, rate limiting, bot protection, fraud/abuse prevention | Article 6(1)(f) (legitimate interest in keeping the Service secure and available) |
| Crash reporting and privacy-focused analytics | Article 6(1)(f) (legitimate interest in a stable, improving product) |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms and use only the minimum data necessary (for example, transient in-memory IP handling for rate limiting). You may object to legitimate-interest processing as described in Section 8.
Where we rely on consent (waitlist and AI chat), you may withdraw it at any time; withdrawal does not affect the lawfulness of processing before withdrawal.
Children (Article 8 GDPR). The Service is intended only for users aged 16 or over. We do not operate any parental-consent flow, because under-16s are not permitted to use the Service in the first place. See Section 11.
5. Recipients and processors
We do not sell your personal data. We share data only with the service providers ("processors") that help us run the Service, each acting on our documented instructions. Present providers:
- Resend, Inc. (US): email delivery for contact and deletion forms; receives your name, email and message.
- Google (Google Sheets): storage of waitlist email addresses.
- Cloudflare, Inc. (US): bot protection (Turnstile); receives your IP address and a challenge token.
- EUrouter (EU-hosted AI gateway): AI support chat; receives your chat messages, interface language and selected tone, processed within the EU/EEA.
- Vercel Inc. (US): website hosting; IP addresses and submission events appear in server logs.
Conditional providers, engaged only if you use the relevant feature or once the feature ships:
- Supabase: cloud hosting of the encrypted database-snapshot backup created automatically after account creation.
- Apple App Store / Google Play: payment processing for subscriptions (if you subscribe).
- RevenueCat, Inc. (US): subscription entitlement management; receives purchase/entitlement metadata.
- Sentry: crash reporting (diagnostics, stack traces).
- TelemetryDeck (EU): privacy-focused product analytics via a random per-install identifier.
- InsertAffiliate: affiliate install attribution in connection with RevenueCat webhooks.
- EUrouter: will also power the future in-app, menu-driven AI assistant with data minimisation.
We may also disclose data where required by law, court order or a valid request from a competent authority, or to establish, exercise or defend legal claims.
6. International transfers
Some of our processors are located outside the European Economic Area (EEA). Whenever we transfer personal data internationally, we ensure an appropriate safeguard under Chapter V GDPR is in place.
Resend, Cloudflare, Vercel and Sentry (Functional Software, Inc.) are each certified under the EU-US Data Privacy Framework; transfers to them rely on the European Commission's adequacy decision for that framework. Vercel and Sentry are additionally certified under the UK extension to the framework and the Swiss-US Data Privacy Framework, and Resend is additionally certified under the UK extension.
RevenueCat is not certified under the EU-US Data Privacy Framework. Transfers to RevenueCat (which occur only if and when you subscribe) rely on the EU Standard Contractual Clauses incorporated into its data-processing agreement.
If a provider's certification lapses or does not apply, we rely on the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional measures as appropriate.
7. Retention
We keep personal data only for as long as necessary for the purposes described above.
- Contact and deletion-request submissions: retained for as long as needed to handle your request and thereafter for the duration of applicable legal limitation periods, then deleted.
- Waitlist email addresses: retained until our launch communications conclude or until you withdraw, whichever comes first.
- AI chat messages: the website does not store your chat beyond what is required to process it in the moment; provider-side handling by EUrouter (EU-hosted) is governed by EUrouter's own terms, which we cannot vary. We do not retain a website-side transcript.
- Rate-limit data: transient and held in memory only (roughly a rolling week at most), not persisted.
- Server logs: retained short-term for operational and security purposes, then rotated out.
- On-device app data: retained on your device until you delete it or uninstall the app; this is entirely under your control.
- Cloud backups: retained until you delete your account, at which point the backup is deleted.
- Purchase records: retained for the statutory commercial and tax record-keeping periods applicable in Spain.
8. Your rights
Under the GDPR you have the right to:
- Access the personal data we hold about you;
- Rectify inaccurate or incomplete data;
- Erase your data ("right to be forgotten");
- Restrict processing in certain circumstances;
- Data portability: receive certain data in a structured, commonly used, machine-readable format;
- Object to processing based on our legitimate interests;
- Withdraw consent at any time where processing is based on consent (waitlist, AI chat), without affecting the lawfulness of prior processing.
We do not carry out any automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.
How to exercise your rights. Please use the forms on our Support page: the contact form or, for erasure, the data-deletion form. We may need to take reasonable steps to verify your identity before acting, to protect your data from unauthorised disclosure. We will respond within one month, extendable by up to two further months for complex or numerous requests, in which case we will inform you.
Note that most of your app data lives on your device: you can exercise access, portability and erasure over that data directly by viewing, exporting (where available) or deleting it, or by uninstalling the app.
9. Complaints to a supervisory authority
If you believe we have processed your personal data unlawfully, you have the right to lodge a complaint with a supervisory authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD), www.aepd.es. You may also complain to the supervisory authority in your EU country of residence, place of work or the place of the alleged infringement. We would, of course, appreciate the chance to address your concerns first via the Support page.
10. Users outside the EEA
10.1 California residents (CCPA / CPRA)
If you are a California resident, the following applies. In the past 12 months we have collected the following categories of personal information, depending on which features you use:
- Identifiers (name, email address, IP address, per-install or account identifiers);
- Internet or other electronic network activity (form submissions, chat messages, rate-limiting signals);
- Commercial information (subscription/entitlement metadata);
- Customer records (contact-form content).
We do not "sell" your personal information and do not "share" it for cross-context behavioural advertising, as those terms are defined under the CCPA/CPRA, and we do not engage in targeted advertising. You have the right to know, delete, correct, and to non-discrimination for exercising your rights. Exercise these rights via the Support page forms.
10.2 United Kingdom
If you are in the United Kingdom, the UK GDPR applies and mirrors the protections described above. You may lodge a complaint with the UK Information Commissioner's Office (ICO).
10.3 Other jurisdictions
If you access the Service from another jurisdiction, your local data-protection laws may grant you rights similar to those above. We aim to honour valid requests consistent with applicable law; please contact us through the Support page.
11. Children
The Service is not directed at children and is intended only for users aged 16 or over. We do not knowingly collect personal data from anyone under 16, and we operate no parental-consent mechanism because under-16s may not use the Service. If you believe a person under 16 has provided us with personal data, please notify us through the Support page and we will delete it.
12. Security
We implement proportionate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. These include our local-first architecture, where the authoritative database remains on your device and cloud storage receives a whole-database backup rather than a row-by-row product database. We also use encryption in transit for backups, bot protection, rate limiting and access controls with our processors. No method of transmission or storage is ever completely secure, however, and we cannot guarantee absolute security.
13. Cookies and similar technologies
The spendyourhabits.com website sets none of its own cookies and uses no localStorage. The only cookies or tokens that may be set are the strictly necessary cookies/tokens used by Cloudflare Turnstile to perform bot protection on the forms and AI chat. Because these are strictly necessary for a service you have requested, they do not require a consent banner under the ePrivacy rules. We use no advertising or analytics cookies on the website whatsoever.
14. Changes to this policy
We may update this policy from time to time, for example when backup or account features change or when we engage a new processor. When we do, we will revise the "Last updated" date at the top. For material changes, we will take reasonable steps to bring them to your attention through the Service or the website before they take effect. We encourage you to review this policy periodically.
15. How to contact us
For any question about this policy or your personal data, or to exercise your rights, please use the forms on our Support page:
- General enquiries: the contact form
- Data-deletion requests: the deletion form
Our full company identification is available on the Legal Notice page of our website. Ludosati SL is the controller responsible for your personal data as described in Section 1.
