ImproveHabits is a family-focused product where adult users (parents/guardians) create and manage accounts, and minor access is parent-supervised. This Privacy Policy explains how we collect, use, share, retain, and protect personal information across the ImproveHabits website and related services.

1. Scope of This Privacy Policy

This Privacy Policy applies to ImproveHabits websites, applications, and features that link to this policy. It does not apply to third-party products or websites that we do not control, even if linked from our service.

2. Who Controls Data

ImproveHabits determines the purposes and means of processing personal information for this service. In practical terms, this means we decide what data is required to operate account access, family collaboration, safety controls, and support.

3. Account Roles, Age Rules, and Family Model

• Adult accounts are for users who are at least 18 years old or the age of legal adulthood in their jurisdiction.
• Child profiles are intended for users who are minors under local law and are managed by a parent or legal guardian.
• Parents/guardians are responsible for supervising child access and for compliance with local age and consent rules.
• You are responsible for determining when a child should receive more independent access under local law.

4. Categories of Information We Collect

Depending on your use of the service, we may collect:

• Adult account details: first name, last name, email address, optional contact data, timezone, and account settings.
• Authentication/security data: password hash, OTP token hashes, session identifiers, login attempts, account lock/security events.
• Child profile details: name or display name, profile settings, family relationship links, and parent-managed account metadata.
• Family and connection records: family groups, invitations, approved connections, and request history.
• Product activity data: tasks, progress, completion history, points, and related engagement records.
• Communication data: chats/messages and message metadata when communication features are used.
• Support and contact data: information submitted when contacting support, reporting issues, or providing feedback.
• Technical/log data: IP address, browser/device details, request logs, diagnostics, and anti-abuse telemetry.

5. How We Collect Information

• Directly from you: when you sign up, verify, update profiles, connect families, assign tasks, or contact us.
• Automatically: through cookies, session tools, logs, and security monitoring during normal service use.
• From parent-managed workflows: when parents/guardians create or manage child profiles and permissions.

6. Why We Use Information

We use personal information to:

• Provide the service and core features, including registration, login, OTP verification, and password reset.
• Operate family collaboration features, requests, approvals, and relationship controls.
• Protect users and platform integrity by detecting abuse, suspicious behavior, and unauthorized access.
• Send transactional notices, security messages, policy notices, and account-related updates.
• Diagnose issues, monitor reliability, and improve product quality and performance.
• Comply with legal obligations and enforce contractual and platform rules.

7. Legal Bases for Processing

Depending on your jurisdiction, we rely on one or more legal bases: performance of a contract (providing your account and requested features), legitimate interests (security and service reliability), legal obligations, and consent where law requires it. Policy consent events are tracked for adult accounts.

8. Profile Visibility and Connection Rules

• Child profiles are visible only to people a parent/guardian approves through connection controls.
• Adult profiles are visible to other adults in the service to enable connection requests and family collaboration.
• Parents/guardians can manage visibility outcomes through available account and connection settings.

9. Communications and Child Safety Context

When communication features are used, information may be shown to intended recipients within approved family/connection contexts. Parents/guardians are responsible for supervising child usage and deciding which connections are permitted.

10. How We Share Information

We may share personal information in the following cases:

• With approved users: profile and activity data made visible by family and connection permissions.
• With service providers: vendors that support hosting, email delivery, authentication, security, analytics, and support operations.
• For legal/safety purposes: where required by law or necessary to protect users, minors, platform integrity, or our legal rights.
• Corporate transactions: in connection with a merger, acquisition, financing, or asset transfer, subject to legal safeguards.

11. Service Providers and Processor Controls

We use providers that process data on our behalf under contractual obligations. Providers are expected to use data only to deliver contracted services and to apply appropriate security controls.

12. Sale, Advertising, and Sensitive Uses

As of this effective date, ImproveHabits does not sell personal information for monetary consideration. We do not rely on child profiles for targeted advertising workflows. If this approach changes, we will update this policy and provide any notices or choices required by applicable law.

13. Cookies and Similar Technologies

We use cookies and similar tools for:

• Strictly necessary functions: authentication, session continuity, and security protection.
• Functional preferences: settings like interface behavior and saved choices.
• Performance and diagnostics: reliability monitoring and troubleshooting, where enabled.

For additional details, see our Cookie Policy. You may control some cookies through browser settings, but disabling required cookies can break essential features.

14. Data Retention

• We retain information for as long as needed to provide the service and meet legal, security, and operational obligations.
• Retention periods vary by category, including account records, security logs, support records, and product activity history.
• When data is no longer required, we delete or de-identify it as appropriate to the system and legal context.

15. Account Closure, Deletion, and Residual Data

• Parents/guardians may request account closure or deletion through Contact Us.
• We may retain limited records where required for fraud prevention, abuse detection, legal compliance, audits, or disputes.
• Content previously shared with other users (including chat context) may remain visible to those recipients.

16. Security Safeguards

We apply administrative, technical, and organizational safeguards designed to protect data from unauthorized access, loss, alteration, and disclosure. Security methods include credential hashing, token expiry and one-time use controls, access controls, and monitoring. No system can be guaranteed fully secure.

17. Incident Response

If we detect a security incident affecting personal information, we investigate, contain, and remediate according to our operational procedures and applicable legal notification requirements.

18. International and Cross-Border Processing

ImproveHabits data is primarily hosted and processed in the United States using U.S.-based infrastructure providers. Depending on support operations and service providers, limited processing may also occur in other jurisdictions. If you access the service from outside the United States, your information may be transferred to and processed in the United States and other countries where our providers operate. Where legally required, we use safeguards appropriate for cross-border transfers.

19. Your Rights and Choices

Depending on local law, you may have rights to:

• Request access to personal information we hold about you.
• Request correction of inaccurate or incomplete information.
• Request deletion of personal information, subject to lawful exceptions.
• Object to or request restriction of certain processing activities, where available.
• Withdraw consent where processing depends on consent.

To make a rights request, contact us through Contact Us. We may verify identity before completing the request.

20. Parent/Guardian Controls for Child Information

• Parents/guardians control child profile setup, visibility approvals, and account-level permissions.
• Parents/guardians may request access, correction, or deletion for child data, subject to legal and security exceptions.
• When law requires parental consent for child data processing, parent/guardian account actions represent that consent.

21. Communications Preferences

We send operational and security-related communications that are necessary for account use. If we add optional marketing messages in the future, we will provide unsubscribe controls as required by law.

22. Third-Party Links and Integrations

Our service may link to third-party websites or services. Their privacy practices are governed by their own policies, not this policy. Please review third-party notices before sharing information.

23. Data Accuracy and User Responsibilities

You are responsible for providing accurate account information and updating it when changes occur. Accurate data helps us maintain account security and deliver required notices.

24. Changes to This Privacy Policy

• We may update this policy from time to time as the product, laws, or business practices evolve.
• When updates are material, we will revise the version and effective date and provide notice as required by law.
• For significant child-data handling changes, we may request renewed parent/guardian acknowledgment where required.

25. Contact Us

For privacy questions, rights requests, or data-handling concerns, contact us through Contact Us.

26. Jurisdictional Compliance and All-Encompassing Rule

ImproveHabits is currently operated from Ontario, Canada, with primary data hosting in the United States. Our privacy program is designed to align with applicable legal frameworks relevant to family and child-focused services, including:

• United States: child privacy expectations under COPPA (Children's Online Privacy Protection Act), where applicable.
• Canada: PIPEDA and applicable provincial privacy requirements, as relevant to our operations and users.
• India: the Digital Personal Data Protection Act, 2023 (DPDP Act), where applicable to users and processing activities.

All-encompassing rule: where multiple privacy laws could apply, we interpret and operate this policy in a way intended to meet the stricter applicable legal requirement. If a local law gives users stronger rights or protections than this policy text, the stronger local legal right governs to that extent.

27. Legal Notice

This Privacy Policy is provided for transparency about our practices. It is not legal advice for users. If you need legal guidance, consult a qualified legal professional in your jurisdiction.